How much security is appropriate for your organization? New cybersecurity standards and regulations are continuing to be released, but they only provide part of the equation. Cybersecurity models, standards, and frameworks such as the CIS 20 Controls, NIST Cybersecurity Framework, and ISO 27001/2 define the activities required to implement a holistic cybersecurity program by describing WHAT capabilities should be included the program. However, they do not address how robust that capability must be to address the security control. The HOW, or maturity, of the cybersecurity capability is left to the organization to determine. During this session we will illustrate how organizational risks can be used to determine how mature capabilities need to be as the organization implements security controls for their selected security standard, regulation, or framework. Participants will walk through several exercises to provide actionable and relevant techniques they can implement within their organization immediately following the session.
- Understand cybersecurity standards and frameworks such as the NIST Cybersecurity Framework, SP 800-53, 800-171, and CMMC, the type of information they provide and their value.
- Identify the factors that drive maturity within a cybersecurity program.
- Understand common cybermaturity scales available today including the CMMI Cybermaturity levels, NIST Cybersecurity Framework Implementation Tiers, CMMC maturity levels, and SP 800-53 baselines.
- Identify key risk indicators that can be used to identify appropriate maturity levels for an organization.
- Apply risk-based approach to define the appropriate cybermaturity for cybersecurity capabilities within a program.
Technical Level: Beginner