In Defence of Maturity-based Approaches for Cyber Security

Jean-Christophe Gaillard Jean-Christophe Gaillard
June 12, 2020 Big Data, Cloud & DevOps

It doesn’t make sense to oppose maturity & risk-based approaches to cyber security

This interesting piece from McKinsey made me think and deserves some comments: “The risk-based approach to cybersecurity” (Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle – October 2019).

The risk-based approach itself which it promotes has solid foundations, and in fact is nothing new. Actually, it echoes in many ways the model we – at Corix Partners – have been developing and delivering with clients and associates for the past 10 years

But I don’t think it makes sense – or indeed helps the industry move forward – to oppose maturity-based approaches and risk-based approaches. And the characterization of maturity-based models as “a dog that had its day” is frankly excessive.

The assumption that risk-based approaches are somehow more advanced than maturity-based ones, and represent an “evolution” of cyber security practices is highly disputable, and the quantification of maturity-based approaches as leading to over-engineering and over-spending by a factor 3 compared to risk-based approaches is simply misleading (a foot note actually refers to the costs mentioned as “illustrative and extrapolated from real-world examples and estimates”).

As a matter of fact, those two approaches are just different ways of managing, driving and measuring action around cyber security in different situations and different firms. One does not have to be superior to the other.

The keys are elsewhere: The approach one firm decides to follow has to be right in relation to the firm’s management and governance culture, and its objectives around cyber security. Those will vary naturally from one organization to another, and from one management team to the next.

One trend we are observing more and more is actually the weakening of traditional risk and compliance drivers around cyber security with senior executives. The “when-not-if” paradigm around cyber-attacks is strongly taking root in many boardrooms, and many firms are committing very large amounts to large-scale transformative security programmes; but in return, the board expects execution and protection, and are holding CIOs and CISOs accountable for both.

In those situations, risk often goes to the background, delivery takes centre-stage, and maturity-based approaches generally work well, as long as they revolve around a clear set of capabilities to be developed through the delivery of clear tangible actions to achieve a clear target maturity level.

This is not an approach which will work well only in situations where initial maturity levels are low: It can continue to work throughout the maturity spectrum up to advanced levels. And as long as the capabilities and the actions required to develop them are backed against the firm’s objective around cyber security and the real threats it is facing, there is no reason to assume that it would lead to a greater degree of over-engineering – and over-spending – compared to other approaches.

As a matter of fact, whether a firm takes a maturity-driven route or a risk-driven route to ensure it is well protected from cyber threats, none of that changes the nature, the reality or the virulence of those threats, and as a result, the nature of the measures the firm needs to have in place to be well protected. Those necessary protective measures may end-up ordered or prioritised differently, in order to improve maturity or reduce risk, but barring political manipulation by stakeholders, they will be the same and will cost the same.

The chosen approach simply needs to be right to give the executives in charge the levers they need to understand and manage the firm’s cyber security posture.

It is our experience that simplicity, clarity and consistency are often the real factors behind successful approaches, and at that game, maturity-based models often win because they can be action-driven from the start, faster to put in place, and less vulnerable to window-dressing by stakeholders.

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Jean-Christophe Gaillard

    Tags
    CybersecurityMaturity Based ApproachRisk Based Approach
    Leave a Comment
    Next Post
    Artificial Intelligence Meets Blockchain

    Artificial Intelligence Meets Blockchain

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in Big Data, Cloud & DevOps
    Big Data, Cloud & DevOps
    Cognitive Load Of Being On Call: 6 Tips To Address It

    If you’ve ever been on call, you’ve probably experienced the pain of being woken up at 4 a.m., unactionable alerts, alerts going to the wrong team, and other unfortunate events. But, there’s an aspect of being on call that is less talked about, but even more ubiquitous – the cognitive load. “Cognitive load” has perhaps

    5 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    How To Refine 360 Customer View With Next Generation Data Matching

    Knowing your customer in the digital age Want to know more about your customers? About their demographics, personal choices, and preferable buying journey? Who do you think is the best source for such insights? You’re right. The customer. But, in a fast-paced world, it is almost impossible to extract all relevant information about a customer

    4 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    3 Ways Businesses Can Use Cloud Computing To The Fullest

    Cloud computing is the anytime, anywhere delivery of IT services like compute, storage, networking, and application software over the internet to end-users. The underlying physical resources, as well as processes, are masked to the end-user, who accesses only the files and apps they want. Companies (usually) pay for only the cloud computing services they use,

    7 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2023, Experfy Inc. All rights reserved.