How are you evaluating your organization's Information Security maturity level and how are you setting the goal post?

Security & GRC
1.3k viewscircle icon1 Upvotecircle icon4 Comments
Sort by:
Senior VP & CISO2 years ago

Yes, NIST CSF

CTO in Banking2 years ago

Scott Mackelprang and Dana Wells have provided good insights. I especially like Scott’s point about integrating the way you describe these risks into the rest of the business risks and opportunities (as opposed to treating it like another silo). For the assessment, I use ISO 27001 because of some international considerations and for the additional rigor.

Former CISO, VP in IT Services2 years ago

I also agree that NIST CSF is the best, initial framework to measure maturity of a Cybersecurity program.  The maturity measurement output is a key input along with assessing and identifying the most critical risks to the business, its information, and compliance needs.  
The goals of the program and measurement goalposts are identified from these inputs and should be aligned to the business priorities to ensure both funding, protecting the business "Crown Jewels" along with prioritized implementation of the basic cyber hygiene solutions such as MFA.

Initial progress measurement of the program's journey (aka Y1's goal post) consists of Year-over-Year measurement of the progress in program maturity, critical business risks managed/risks addressed, and improvements in protection of the Crown Jewels.  Then Year 2's goal posts are identified and so on...  

Lightbulb on1
Information Management, Security, Risk and Privacy in Healthcare and Biotech2 years ago

In my opinion NIST provides the best framework for a comprehensive view of information security maturity. I has broad adoption in other infosec frameworks used across most industries. I've used it with good success. As for setting the goal post, that depends entirely upon risk assessments that you perform for your business. You need to determine where you infosec risks reside, how severe they are and then create a risk management plan accordingly.  If your risks are severe, then the plan that you present to management needs to be very aggressive and you need to be forthright and bold in presenting what needs to be done to bring the company's security's risk into alignment with their risk tolerance. Your plan must be formulated in context with other risks the business is facing so that business resources are optimized.

Content you might like

Which cybersecurity metrics do you currently use with your board?

Read More Comments

What do you do to recover quickly from early missteps in a new role? How can you keep initial mistakes from coloring perceptions when you’re still trying to establish your reputation at a new organization?

On a scale of 1-5, how would you rate your organization’s ability to successfully protect your organization's operational network (OT) and IT network from a cyber attack?

1. We are not at all prepared.3%

2. We are somewhat prepared.35%

3. We are moderately prepared.21%

4. We are generally prepared.33%

5. We are highly prepared.6%

View Results

Based on your past experiences with starting a new position, what sorts of quick wins tend to have the greatest impact in terms of building up your credibility with stakeholders?

Read More Comments

As an IT executive, how much would you like to invest in early-stage startups per year?

$10k - $50k32%

$50k - $100k49%

$100k+9%

No thanks, I'm killing it in the stock market8%

View Results