The security industry has been following a set pattern of evolution when it comes to cyber security maturity. Since organizations face a much more dangerous threat landscape they need to be actively evolving their historical security defenses to integrate into a formal security and business risk framework. At the recent RSA Conference in Europe Art Coviello talked about the ‘Spectrum of cyber security maturity’ and outlined four key stages:
1. Threat Defense/Control phase
2. Compliance in-depth
3. IT Risk based security
4. Business risk based security
Phase one is where the evolution began with perimeter network and basic threat defenses. Installing anti-virus and firewalls was deemed to be adequate. But the reality is it is totally reactive and becomes a game of ‘whack-a-mole’. Our objective should be to know where the mole is going to pop up from!
The next phase was driven by industries in highly regulated environments that needed to implement the appropriate controls to meet compliance requirements e.g. PCI. This led to a ‘tick box’ era of security which led organizations to believe that if they were compliant they were secure but compliance does not equal to security. Organizations that truly understand their threat landscape are in the IT Risk category where they are taking the right steps to evolve their IT infrastructure. What we should all aspire to is Business Risk phase where organizations can change their business models based on all the technology available to them, taking maximum advantage of mobility and the cloud, and they’re moving their security infrastructures in concert with these changes. Where the IT Risk category is tactical, the Business Risk category is the most focused and strategic.
So, here’s the question ‘where does cyber security training fit into these phases?’ Surely at each phase we should be looking at the appropriate trailing. A familiar pattern emerges where organizations have actually provided the right training. So, at phase one, we have firewall/perimeter training mainly focused on the technical staff configuring these devices. The Compliance phase meant staff had the right training to pass the audit. I was watching a program on TV the other night about a hotel failing to meet its inspection because the sofa in the room that failed was a bit worn and the curtains had a hole in them. The hotel merely moved a sofa and curtains from a room that had already passed inspection. On re-inspection they passed. Anyway, the point is the training was only to meet the compliance and not security.
Phase 3 and 4 require a completely different approach based on risk. One size doesn’t fit all here and employees need to be given the right training for their role. Training that’s relevant and identifies where employees might need additional learning. Ask yourself the question – is the training we provide today in-line with our security maturity model?