New CISO? Use This Model To Map Your Plan
If you've just been promoted or hired into a Chief Information Security Officer (CISO) role, you might be considering how you can significantly improve your cybersecurity stance with limit staff and tight funding. There is no miracle cure for the situation, but having a plan to make incremental improvement over time is the only viable approach in this environment.
I have taught cybersecurity for healthcare IT professionals for years now and I continually come back to this model. The CMMI model, now managed by ISACA, is an excellent method. It's easy to understand, easy to implement, and easy to measure progress. Every organization wants to have a fully developed cybersecurity program, but few have reached that pinnacle. Instead, focus on those areas that require the most remediation first. You can often identify quick wins that will improve your cybersecurity stance incrementally. Each action you take to reduce risk will have a positive, compound impact down the road.
My recommendation is to grab your cybersecurity framework (I use NIST CSF) and map your capabilities against that framework. Identify, protect, detect, respond, and recover are the five categories in NIST CSF. Assess where your capabilities in each of those areas is on the CMMI model. Apply your resources and efforts on the lowest areas of readiness first. If all your capabilities are in the Level 1 range, consider hiring external resources to help you improve quickly.
Your risk assessment should identify risks and vulnerabilities, but taking time to map them against the CMMI model can help you identify priorities for remediation and investment. You can't do twenty things at once and do them well, so triage, prioritize, and act.
Your remediation plan should address Critical and High risks first. If your capabilities in a given area are at Level 1 or 2, these should be flagged as high priorities. For example, if your patch management is hit-or-miss (or mostly miss), consider this a high priority.
Monitor your progress against your risk remediation plan as well as against your CMMI improvements. Focus on setting strong processes in place through automation, training and monitoring so your cybersecurity capabilities continue to grow at a steady and consistent pace. Hold managers and staff accountable for adherence to procedures including change control, testing and validation, and system hardening procedures to name just three.
Continuous Effort Yields Continuous Improvement
My karate teacher many years ago, the honorable Mr. Ken Carson, always said "Practice doesn't make perfect; perfect practice makes perfect." It is a saying that has stayed with me for decades and often guides my actions. If you want to reach a state of excellence, you must continuously practice with excellence. In the field of cybersecurity, you will never achieve perfection, but achieving excellence is possible.