There are plenty of frameworks and CMMs (Capability Maturity Models) to choose from. In this article, we’ll explore a few of the more popular ones, and discuss their use in general, in terms of the value they add. This article has a strong Australian sway to it because that’s where I live. But each country will have it’s defence and government-endorsed frameworks and CMMs.
But first, what is a framework and what is a CMM, and why would any business use them?
Most businesses don’t “need” to use frameworks and CMMs. They often opt to use them to save haging to come up with their own pathway forward. However, some organisations do need to use them in order to comply with industry regulations. Defence is one such industry that requires compliance with participating businesses.
CMMs provide a way to compare the current state of a business’s cybersecurity posture of businesses to the thresholds of the industry regulators. So the CMM states the required maturity level that a business must meet, and the framework helps that business achieve the progression towards compliance.
Frameworks, such as the NIST CSF and the Australian Cyber Security Centre’s Essential Eight, provides standardised methodologies for risk management and general cybersecurity.
The value proposition of these tools is clear: enhanced risk mitigation. Frameworks provide a structured approach to risk assessment, enabling organisations to prioritise and address vulnerabilities effectively. Implementing controls based on these frameworks strengthens the security posture, reducing the attack surface.
Within some businesses, there’s friction against change. One business unit may see the need to move forward and improve, while another may see the current state as “fine” because the business is already making money and doing well. The use of a framework and CMM can help. If endorsed from above (from senior management), business units may have no choice but to participate in the change. The top-level endorsement would suggest management have thought it through (obviously) and therefore the business does see it as the right move. In this way, the framework and CMM would be a means to ensure positive change and is likely used as the “stick” to ensure all relevant business units come along for the ride.
While often not required by regulation, businesses are wise to consider these well tested facilities to help achieve their desired cybersecurity states.