When you search for the term “cybersecurity” online, you get approximately 17 billion images of padlocks and shields – but what is this trying to communicate? 经常, when we think about how to secure our companies, we jump to the technical solutions by buying products, 或者运行渗透测试. While these are important pieces of the puzzle, it’s also important to think about our business values and what we’re trying to achieve. Before jumping straight to a solution, we need to understand the problem we are trying to solve. This is why maturing cyber governance and risk management capabilities is so important.
No organization has unlimited time and resources available to solve problems, especially when they aren’t directly tied to company profits. Unless a company is in the cybersecurity business, cybersecurity is not typically seen as a key business priority – which it 应该n’t be! BUT cybersecurity 应该 be considered and managed per the risk it seeks to mitigate for the organization. This is done through implementing processes and capabilities to enable effective decision making, ensuring those limited resources are utilized efficiently and that they are having the desired outcomes. 那么,我们怎么做呢? We define our priorities and create governance processes to support them.
Evaluating companies based on their business goals helps us to understand what 应该 be driving our decision-making processes. 最终, we want to ensure that every action a company takes is supporting its key business goals and is being achieved consistently to provide confidence to the stakeholders involved. This can be done using many different methodologies at various levels of maturity. 那么,我们怎么知道从哪里开始呢?
Mature organizations with strong governance programs likely have policies and processes in place defining how a stakeholder group (e.g., board of directors, the C-Suite) makes decisions for the organization. 通常, these organizations will define the resulting expectations for employees when it comes time to execute these decisions to ensure they can be reliably implemented. However, even in very small organizations, there are usually informal systems of governance in place. While these processes may not be documented, employees are generally aware of where the decisions are coming from. Whether guidance is being provided from a supervisor or direction is formally documented in a policy, there are always decisions being made. The question then becomes whether the decisions are best for the organization.
随着公司的成长, they typically mature governance capabilities to gain confidence that the best decisions are being made based on the information and resources available. ISACA的 网络成熟度平台(CCP) is expanding its governance guidance to include capabilities across all five levels of maturity defined within CCP’s Model, transitioning from only being available at the highest levels of cybermaturity. This update is designed to help small and mid-sized companies gain a better understanding of how to improve their governance capabilities by leveraging informal processes they may already have in place. By expanding the definition of these capabilities into lower maturity levels, a broader set of organizations will be able to leverage these capabilities to identify where they are today, 即使是非正式的, and see a path toward greater cybermaturity without being overwhelmed by the formality.
More information regarding CCP is available at http://ntq.aprender-a-bailar.com/enterprise/cmmi-cybermaturity-platform.
