Assess and understand the difference between your current and targeted maturity to better prioritize and plan for your future
This blog is part of Apex Digital Solution’s Best-In-Class Security series. In this blog series, we explore key topics in Developing and Implementing a Best-In-Class Security Strategy.
If you have spent any time overseas in London, you may have become very familiar with the phrase “mind the gap”. The phrase repeats over and over on the famous London “tube” as the doors open. The recorded English voice politely reminds passengers to watch their step between the train and the platform. For me, that phrase has become synonymous with any trip to London, and it has taken on a higher meaning. When I think about prioritizing activities when building and implementing a best-in-class security strategy, this phrase also plays in my head repeatedly.
In the first blog of this series, “Measuring for Success”, we talked about the importance of leveraging a framework (or industry standard best practice) to help you evaluate your current maturity posture. The choice of framework(s) and/or standard(s) is critical on the path to success and should be well thought out.
However, once you have a chosen framework, what is the next key step in developing a best-in-class strategy to improve and mature your organization? In this blog, I will discuss how to assess and understand the difference between your current and targeted maturity to better prioritize and plan for your future.
Get Started with Vantage
Apex’s Vantage Maturity Model helps organizations monitor and measure their maturity over time.
To build the best possible plan, you must first understand exactly where you are starting from. Performing an assessment while leveraging your selected framework is the first key step. This becomes the baseline from which all other works are driven from.
While the structure of each framework is a little different, they all ultimately break down into specific outcomes or controls tied to management or technical capabilities for different functional areas of security.
During the assessment, be sure to involve all the key stakeholders and subject matter experts for each of the functional areas of your business (and processes) that are being assessed. Drive towards a consensus of your current maturity level while leveraging, if applicable, the scoring rubric that accompanies your framework of choice. Above all else, it is essential that you are honest with your assessment of your current maturity.
Equally important as determining your current maturity state for each area is to also determine what your business aspires to achieve for each (functional) area. Aspirations can come from specific business goals or objectives or they can come from legal, contractual, or regulatory requirements that may be mandated.
Whatever the case, it is important to understand where the business would like to score in the future for each assessed functional area. A key consideration in determining the future goal is to understand that it is unrealistic to achieve “perfect” scores for all functional areas. Make sure to set goals and expectations that are realistic to achieve.
Now that you have assessed your current maturity level and have also identified a target maturity level for each functional area of your organization, the gaps should be easy to identify.
The most important step, at this stage, is to document each of the identified gaps as part of your self-assessment. The focus should first be on creating a list of the identified gaps and current corresponding score along with their target (future state).
A simple spreadsheet works to help you list the functional area, the current maturity score, target score and the variance between current and target scores.
To define potential solutions for each of the identified gaps above, put together a tiger team of key stakeholders and SMEs for each functional area. Solutions to address a gap can take many forms, including leveraging 3rd party software and services or through the establishment of procedures, policies, and formal processes.
In some cases, it may take more than one solution to address a specific gap. For this reason, it is important to understand, for each solution, what the relative impact will be to the maturity score that will be achieved, how difficult the solution will be to implement, and what the cost of the solution will be.
Next, we must prioritize addressing our gaps. It is important to understand that not all gaps are created equal. Resist the urge to simply look at the list you created and prioritize the functional areas based on the largest disparity between current and target maturity scores. This is only part of the equation.
In the prioritization effort, we must factor in a few key data points:
- Importance – the importance of the identified gap to the business
- Difficulty – the level of effort required to address the gap based on current resources
- Cost – the cost of the proposed solution to address the gap
There is no single answer for how to best make final determinations on priorities. For simplicity, you could map the solutions based on a simple four-quadrant matrix to show cost vs impact (low-cost, low-impact vs low-cost, high-impact vs high-cost, low impact vs high-cost, high-impact) and visually represent each of the solutions.
In some cases, for various reasons, an organization may make a decision to not take any action to address a specific gap. By accepting the risk, the organization may have done so because the cost-benefit of addressing the gap is not worthy of investment or there may be technical limitations preventing you from maturing. Either way, in instances that the organization is making the decision to not address a gap, it should be documented and notated as part of the analysis for future reference. In the end, it is critical to establish a team to review each of the gaps and to make final determinations on priority and sequencing.
The next blog in the Best-In-Class series (“How Hungry Are You?”) will cover the topic of understanding (and establishing) your organization’s appetite for risk. Similar to personal financial investment strategies, you must understand your organization’s appetite for cyber risk and risk tolerance to make appropriate decisions.
Vantage, Apex Digital Solutions’ proprietary capability and operational maturity model, is designed to help organizations monitor and measure their current maturity based on key questions and traits. Vantage helps identify and prioritize critical areas that organizations can improve over time through continuous assessment and re-assessment across core functional areas, including security. Learn More >>