In part one of this four-part SearchCompliance webcast, infosec strategist and CISO Demetrios Lazarikos explains the information security maturity model and explores the history of infosec.
An information security maturity model helps to show how security supports an organization's business processes, Lazarikos said.
"This model helps you understand where your organization is when you're building or supporting a program and then it helps you understand where you can shift to and from," Lazarikos said.
The information security maturity model includes three different categories or groups that exist on a sliding scale that ranges from reactive to proactive, Lazarikos said. The reactive "blocking and tackling" group, number 1, is on the far left, and the proactive group with a risk-based approach, number 3, is on the far right, with the compliance driven group number 2 in the middle of the scale:
1. Blocking and tackling, characterized by:
- Lack of executive support
- Underfunded and understaffed
- Lack of metrics for reporting
- Set up for failure
Lazarikos said that this first category is, "unfortunately setup for failure because there is no repeatable process to scale and support information security compliance."
2. Compliance driven, characterized by:
- A controls-based security approach
- Alignment with mandatory regulations
This second category includes what Lazarikos calls, "checklist-driven security and compliance programs."
3. Risk-based approach, characterized by:
- Multilayered security
- Looking at data across multiple disciplines
- Looking at new technologies as they pertain to protecting the company and its infrastructure
- Executives that know how to quantify the risk and losses in business terms and dollars
Lazarikos said that it is important for businesses to ask themselves where they fit in among the three categories and develop a strategy for moving from the far left of the scale to the far right.
"It's going to be important to understand this component of the infosec maturity model because with IoT there are a lot of opportunities to build and grow the infrastructure," he said.
History of the infosec security model
It was around 1994 or 1995 when organizations started to commercialize the use of the internet, Lazarikos said.
The security model back then was really clean, Lazarikos said, because if an auditor or regulator came in, they could say, "show me where you store, process or transmit healthcare information or financial information -- they would determine what was in scope based off of this clean stack and monitoring this information."
Security started to get tricky as organizations began embracing different technologies. Despite the use of increasingly advancing tech, it is still common to see companies incorporate the use of legacy environments.
"From a business standpoint -- if those [legacy] systems are generating revenue and adding value to the organization, my experience has been that it is really hard to migrate off of them because they're up and running, they're generating revenue," Lazarikos said.
The desire to create an agile data center combining legacy environments with several newer technologies creates an infosec, IT audit and regulatory "nightmare" for organizations, Lazarikos said.