I spent a large part of my involuntary layover in Atlanta last month thinking about PCI, Control Objectives and Maturity. Sometimes interruptions to our business lives like this are good, since stepping back and interrupting our non-stop business life for moments of thought is critical to our own personal growth, and the growth of others as well (like our businesses).
I found my thoughts continually returning to the chasm that exists between compliance and maturity. Why do I call this a chasm? Because companies still, to this day shoot for “compliance” with the goal of avoiding penalties. For InfoSec, Security shouldn’t be the objective. The real objective should be sustainable security and the tangible benefits it can bring.
Sustainable security is when you have an effective, repeatable process or cycle of continuous improvement. This is a concept borrowed from CMMI, wonderfully articulated by SEI in the OCTAVE model, and used by CoBiT for measuring effectiveness of controls. There are various levels of maturity starting at ignorance and moving up through ad-hoc controls, defined controls, managed controls, and continuous improvement.
If we look at “compliance” we will typically find companies either at ad-hoc controls (ones which are based on heroics) or just defined/managed controls. In these situations companies are “going through the motions” to satisfy an external master. These companies create an end-goal of passing an audit or assessment and then move on. Continuous improvement is not in their plan. “Just tell me what to do so I can do it, and get on with my job.” Their view is that compliance is an impediment to their business – one more hurdle to jump over before moving on to other more important things that they as being more directly beneficial to their business.
Maturity comes when we move beyond “going through the motions” and actually monitor and measure the success of our program. A bank or an insurance company would never manage its financial risks the same way year after year. They would evaluate their existing controls, and evaluate the external environment, threats and the variables which change constantly. Risk management requires awareness of the effectiveness of our efforts measured against objectives, and evaluation of the objectives themselves.
The same applies to Information Security. An effective security risk management process evaluates the environment, assets and evolution of threats to chose appropriate controls, and evaluates if the selected controls are operating effectively. These evaluations should be continuous and ongoing because the environment is ever changing. We must perform two types of evaluations.
So what is the challenge we have in moving from compliance to maturity?
As a concept sustainable security isn’t very attractive to many executives and I can understand why – how does it bring a benefit to customers and the company bottom line? If you take sustainable security at face value, the answer is, “Not much.” It looks on the surface like a nice “process improvement” practice, but without any significant returns for the business.
How do you answer this challenge? How do you make a model of sustainable security and maturity meaningful? The answer is in the facts. Show these managers and executives the business risks, AND benefits of security controls. Use quantitative research (for example, Visible Ops by Gene Kim) that shows the specific benefits of specific controls. Put those benefits into terms they can understand from their tower of denial…
(a) Managing, controlling, and creating awareness around changes to systems and programs in your environment is proven to create a more stable and predictable working environment for your employees. Users are prepared for changes and are more quickly able to take advantage of the benefits the changes offer them.
(b) Appropriately testing new systems and programs before putting them in to production results in higher customer satisfaction as customers and users have more positive (and fewer negative) experiences with the systems and programs. Happy customers are the result of systems that work properly and are available when they are needed. Testing ensures that this is the case.
(c) Building and maintaining systems in a consistent manner through standards has been proven to create a more stable and predictable environment where problems are more easily detected and fixed. This results in higher availability for the tools that your customers and employees need to help you create revenue and customer satisfaction.
I use these examples since these are the subject of great studies and I can pull out the quantitative data to support it. We will always need more research on what works, and what doesn’t. More importantly we need to be ready to convert this research into meaningful messages that make security meaningful to executives. Once the company understands the benefit is much greater than just a check box or risk management, they will move faster towards the goal. Our challenge is to take our research beyond just “what got broken in to” and in to “what creates tangible benefits for a company”.