How are you evaluating your organization's Information Security maturity level and how are you setting the goal post?

1.1k views1 Upvote5 Comments

Information Management, Security, Risk and Privacy in Healthcare and Biotech, 201 - 500 employees
In my opinion NIST provides the best framework for a comprehensive view of information security maturity. I has broad adoption in other infosec frameworks used across most industries. I've used it with good success. As for setting the goal post, that depends entirely upon risk assessments that you perform for your business. You need to determine where you infosec risks reside, how severe they are and then create a risk management plan accordingly.  If your risks are severe, then the plan that you present to management needs to be very aggressive and you need to be forthright and bold in presenting what needs to be done to bring the company's security's risk into alignment with their risk tolerance. Your plan must be formulated in context with other risks the business is facing so that business resources are optimized.
Former CISO, VP in IT Services, Self-employed
I also agree that NIST CSF is the best, initial framework to measure maturity of a Cybersecurity program.  The maturity measurement output is a key input along with assessing and identifying the most critical risks to the business, its information, and compliance needs.  
The goals of the program and measurement goalposts are identified from these inputs and should be aligned to the business priorities to ensure both funding, protecting the business "Crown Jewels" along with prioritized implementation of the basic cyber hygiene solutions such as MFA.

Initial progress measurement of the program's journey (aka Y1's goal post) consists of Year-over-Year measurement of the progress in program maturity, critical business risks managed/risks addressed, and improvements in protection of the Crown Jewels.  Then Year 2's goal posts are identified and so on...  
CTO in Banking, 51 - 200 employees
and have provided good insights. I especially like Scott’s point about integrating the way you describe these risks into the rest of the business risks and opportunities (as opposed to treating it like another silo). For the assessment, I use ISO 27001 because of some international considerations and for the additional rigor.
Head IT - Infrastructure, Ops & Applications at Dhani, Indiabulls Group in IT Services, 5,001 - 10,000 employees
By performing CSMA( Cyber Security Maturity Assessment) across legal entities and finding loop holes which need to be fixed.
Senior VP & CISO, 1,001 - 5,000 employees

Content you might like

Data security51%

Shared resources/services35%


Other: please specify.1%


2.4k views5 Upvotes1 Comment

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.31%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.52%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.13%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


9.5k views9 Upvotes1 Comment

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.7k views133 Upvotes324 Comments