Program Maturity – Cybersecurity and Operational Risk Management
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
May 2020

Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This article provides guidance to improve program maturity in stages. A risk-prioritized approach can be used to obtain funding.

Maturity Level 1. Minimal Compliance

Development of an information security program should begin with a reputable baseline such as the NIST Cybersecurity Framework. A framework communicates the minimum controls required to protect an organization.

It is also necessary to include control requirements from applicable laws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program.

Be mindful that external requirements are biased towards the governing body versus the interests of your organization. For example, the PCI Data Security Standard is focused on the security of payment card data. There are no requirements for disaster recovery or business continuity. The card brands do not care if your business goes under, as long as their payment card data is secure.

Maturity Level 2. Common Controls

Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them.

Gap analysis: Deploy controls based on proven methodologies such as the 20 CIS Controls.

  • Patching
  • Penetration testing
  • Cyber threat intelligence

    Risk-based deployment of controls: Establish a risk-based approach for implementing controls.
    For example:

  • Conduct source code scanning of all web applications
  • Conduct dynamic application scanning of any web application that stores, processes or transmits sensitive data such as Personally Identifiable Information (PII), Protected Health Information (PHI), payment card data or confidential company information)
  • Conduct penetration testing of any Internet exposed web application that hosts sensitive data

    Controls in this category are viewed by many as necessary and common sense in a cybersecurity context. Some may view this maturity level as filling gaps in the control framework, basic due diligence.

    Maturity Level 3. Risk Management

    Management may view adherence to a control framework and compliance obligations as sufficient due to the number of controls, cost and productivity impact. Follow that frame of reference and communicate control framework requirements for risk assessment and risk management. It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape.

    Threat Landscape and Controls Analysis: Conduct risk analysis, resulting in a formal report. Start by considering the inherent risk of the organization. Provide an overview of potential adversaries, techniques for compromising data and the cybercrime ecosystem. Describe the potential for impact, while citing reliable sources. Reference the organization’s risk tolerance. Describe the organizations assets. Pivot into cybersecurity with protection boundaries, control framework and risk assessments. Provide fair and balanced analysis by documenting risk mitigation and recent accomplishments in that domain. Detail residual risk with recommendations for new processes and controls. Conclude with a summary statement that praises the organization’s risk culture, with recognition for conducting risk analysis.

    Create a slide deck to present the results of the risk analysis:

  • Include a slide with risk management requirements from the control framework, regulations, laws and contractual obligations
  • Provide a risk analysis overview
    – Identifying necessary controls with context of the threat landscape, while considering the organization’s products, services and assets
    – Focusing controls on sensitive data such as PII, PHI, payment card data and confidential company information
  • Provide a roadmap with a request for resources and funding

    Risk Register: Establish a risk register to provide transparency to management. Cybersecurity entries should be reserved for issues that pose significant risk to the organization (risk mitigate or risk accept). Discuss register entries in meetings with IT and business executives. Meet at least every two months to maintain risk governance routines.

    Maturity Level 4. Strong Risk management

    At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.

    1. There is appropriate separation of duties in the CISO’s reporting structure, such as reporting to the CEO, Chief Risk Officer or Board of Directors. When the CISO reports to the CIO, it is a conflict of interest
    2. Cybersecurity metrics, KPIs and KRIs feed into an Enterprise Risk Management program
    3. The CISO provides updates to the Board of Directors or similar executive group
    4. The cybersecurity program maintains controls specific to line of business products, services and assets
    5. A process management program is in place, to include policy, an inventory and process risk analysis
    6. A fraud prevention program is in place, to include fraud risk assessments conducted by an independent third party
    7. An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis
    8. The organization leverages the Three Lines of Defense Model, with active support from operational management, risk management and compliance functions and internal audit
    9. Operational functions and lines of business are required to declare self-identified audit issues, with metrics in place to demonstrate the control environment is improving continuously
    10. Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers

    This article gives executives options to make risk-based decisions. A multi-generational plan can be used to improve program maturity. Strong risk management pays dividends over time with low occurrence of harsh negative events. When incidents do occur, controls are in place to limit business impact.

    About the author: Gideon T. Rasmussen is an Information Security Risk Consultant with over 20 years of experience in corporate and military organizations. His websites are and The opinions expressed here are those of Gideon Rasmussen and do not necessarily represent those of his current or past employers/clients.

    Originally published by Security Current (May 2020)