How are you evaluating your organization's Information Security maturity level and how are you setting the goal post?
Sort By:
Oldest
Information Management, Security, Risk and Privacy in Healthcare and Biotecha year ago
In my opinion NIST provides the best framework for a comprehensive view of information security maturity. I has broad adoption in other infosec frameworks used across most industries. I've used it with good success. As for setting the goal post, that depends entirely upon risk assessments that you perform for your business. You need to determine where you infosec risks reside, how severe they are and then create a risk management plan accordingly. If your risks are severe, then the plan that you present to management needs to be very aggressive and you need to be forthright and bold in presenting what needs to be done to bring the company's security's risk into alignment with their risk tolerance. Your plan must be formulated in context with other risks the business is facing so that business resources are optimized.Former CISO, VP in IT Servicesa year ago
I also agree that NIST CSF is the best, initial framework to measure maturity of a Cybersecurity program. The maturity measurement output is a key input along with assessing and identifying the most critical risks to the business, its information, and compliance needs. The goals of the program and measurement goalposts are identified from these inputs and should be aligned to the business priorities to ensure both funding, protecting the business "Crown Jewels" along with prioritized implementation of the basic cyber hygiene solutions such as MFA.
Initial progress measurement of the program's journey (aka Y1's goal post) consists of Year-over-Year measurement of the progress in program maturity, critical business risks managed/risks addressed, and improvements in protection of the Crown Jewels. Then Year 2's goal posts are identified and so on...
CTO in Bankinga year ago
and have provided good insights. I especially like Scott’s point about integrating the way you describe these risks into the rest of the business risks and opportunities (as opposed to treating it like another silo). For the assessment, I use ISO 27001 because of some international considerations and for the additional rigor.Senior VP & CISOa year ago
Yes, NIST CSF