Measuring maturity in security - CM-SMM
There are a lot of security maturity models out there. But still, in 2016 we had the idea to create our own. By Kristof Tuyteleers, DNS Belgium.
There are a lot of security maturity models out there. But still, in 2016 we had the idea to create our own. Not because we wanted to reinvent the wheel. But we wanted to work with a qualitative model that uses tailored content that fits our industry.
We, that's some of the founding members of the European TLD ISAC. The CENTR Member Security Maturity Model (CM-SMM) was developed by incorporating concepts from a combination of existing (cybersecurity) maturity models, security standards and best practices.
The CM-SMM is a hybrid model, allowing respondents to benchmark their current security maturity and to measure how security practices are evolving through time. It provides insides into the organisation's level of security resilience and into the capabilities to deal with potential information security incidents.
The CM-SMM aims to provide organisations with the ability to:
- Strengthen their information security resilience and capabilities;
- Enable a consistent and effective evaluation of benchmark information security practices;
- Provide means for assessing and benchmarking performance;
- Identify gaps and develop improvement plans;
- Prioritise actions and investments that improve information security;
- Demonstrate results of improvement efforts;
- Share knowledge, best practices and relevant capabilities within the organisation as a means to improve information security practices.
The insights that participants gain from performing a cybersecurity maturity assessment based on our model will help organisations build and update their roadmap for creating effective and cost-efficient cybersecurity programs.
We consider the CM-SMM to be a valuable tool to identify gaps and opportunities for improvement. It allows to make security efforts visible to the organisation's management bodies, and ultimately get the necessary support and resources.
Five steps in incident management
Our model is loosely based on the NIST cybersecurity framework structure (National Institute of Standards and Technology), and is built around the five steps of the incident management process. The NIST cybersecurity framework is a set of guidelines for companies to be better prepared for the detection of, and response to, cyber-attacks.
This results in the identification of 5 key domains which are being used in our model:
- Establish: establish a framework to manage cybersecurity risks;
- Prevent: prevent security incidents from happening;
- Detect: detect incidents;
- Respond: how will you respond to security incidents;
- Recover, finally, is about restoring your normal activities after an incident. What did you learn from this and what will you be doing to avoid a repetition of the incident?
With the new partnership within the European TLD ISAC, we strive to improve our capabilities in all these five domains. A major challenge lies in detection. Due to the attack surface (DNS is an internet-facing service), a flood of information (logs, indicators of compromise, etc.), or even an overwhelming number of (false) alarms, it is not easy to identify incidents and breaches. We want to rationalise and optimise our efforts through data exchange.
Five maturity levels
The CM-SMM defines five maturity levels (ML), ranging from ML1 to ML5. These levels indicate a progression of maturity. It goes from 'incomplete', 'performed', 'managed', and 'measured' to 'improving'. At that highest level, processes are evaluated and adapted to changing needs.
We've also added ML0, which stands for 'non-existing', when an organisation does not address (yet) a statement in the model. As the '0' indicates, tt is not counted as a maturity level.
Maturity levels are cumulative, so for ML2 and above, the practice must have already achieved the previous maturity levels.
We have tried to make the self-assessment as objective as possible by using a number of statements for each maturity level. Those statements are based on relevant ISO/IEC 27001 Annex A controls and translated to the scale of TLD registries and business operations.
This means the model does not allow you to score or level yourself. You must indicate for each statement whether your organisation complies with this structurally or not. If you answer no to a statement in a section, you will not be able to reach the maturity level linked to the statement.
The model provides a very good idea of the extent to which a company complies with the NIS-legislation (Network and Information Security) because it maps the content of the ISO/IEC 27001 standard on the structure of the NIST cybersecurity framework.
The information security ISO standard contains requirements to demonstrate that the organisation is continuously improving its security policy.
Our model can help identify areas for improvement and draw up a goal-oriented plan. For example, you could focus your resources on the aspects with the lowest maturity level, or a domain where you score below expectations.
Advancing as a community
From the first final version in 2018, we have made the model available to European ccTLDs via the CENTR website. We received support to conduct a biennial benchmark using the model. This means we have 3 data points (2018, 2020,2022). And they show a clearly positive trend. Our industry has made significant progress since the first assessment.
Of course, this step towards higher maturity did not just happen. After each benchmark, we provided the CM-SMM with an update based on feedback from the participants. We set up workshops where we discussed the results. We gave presentations on the subdomains where there was the most room for improvement. And together we have matured.
The work on the maturity model has been transferred to the European TLD-ISAC. This way we can guarantee that there are sufficient resources to maintain and update the CM-SMM.
A small team of dedicated people is currently working on an update to align the content of the CM-SMM with the new ISO/IEC27001:2022 standard. We plan to release version 1.3 in Q1 2024.
Finally, it is important to mention that anyone can use the model freely, provided that feedback is given to the authors regarding changes to the model. That's why we released it under a Creative Commons license.
Download the White Paper
Version 1.2 of the CM-SMM is free to download as a PDF through the following link.