Bears in the woods
Over the years there has been a mantra that many security professionals, including myself, have espoused. Its based upon the age old joke of “if you are out in the woods with your friend and you get chased by a bear, how fast do you have to run” with the punchline being “faster than your friend”.
This same joke is often translated into the cyber security paradigm with security professionals using this analogy to garner support for security initiatives that will help them increase their security maturity rating (for their methodology/framework of preference) to be a bit higher than the average of their peers, the rationale being that if you are better than your peers you are less likely to be compromised by a cyber attacker.
Is this approach of focusing on maturity ratings both sensible; and more importantly does it result in a false sense of security for both the security professional and their executive leadership. Can chasing a number on a maturity rating mean organisations focus their efforts in the wrong place at the expense of identifying the security domains where additional investment will reap bigger risk reduction without achieving a material change to the holy grail maturity rating?
Another question is whether there is statistical evidence that being better than peers in security maturity ratings has a tangible impact on the likelihood of an organisation being subject to a cyber attack compared to their peers. On this point I’m not trying to compare those with rating of 2 against those with a 4, which will mean low skilled cyber attackers are able to successfully effect a cyber breach. Rather I’m focusing on the incremental gains where decimal points are in play (i.e. those with 3.5 versus 3.8 etc) where the cost of achieving the marginal improvements can be significant, and is there available research that supports the bear in the woods hypothesis at this level?
Keen to hear other perspectives on the value, or otherwise, of chasing maturity ratings across both the cyber security industry and also other domains where maturity ratings are commonly in use.