Board members, demand your spiderweb chart!

Board members are not cybersecurity experts, so how do you keep track of the cybersecurity posture of your organization, without going into the bits and bytes? I am not talking about how you respond to events as they happen, but about how you keep track of where your organization stands with regards to cybersecurity and how it makes gradual progress.

Ask for your spiderweb chart on a regular basis! Let me explain.

There are plenty of cybersecurity governance models and standards. Some of them take the high view, such as ISO27001 and NIST CSF. Under ISO, you can even get certified.

And then there are more specific governance models, that relate to

• technical IT security controls such as CIS top 20,
• security in development such as OWASP SAMM (v2 recently released).
• operational (industrial) technology (OT) such as IEC62443. (This last model provides more of a practical reference architecture on the network and systems level)

What most of these models have in common, is that they have a maturity model attached to them. If they don’t, then they definitely require you to use a maturity model of your own choice. Maturity models are simple scales (e.g. from 0 to 3) that allow you to put a number on the level of maturity you have in a specific area. If you are merely responsive, your level is 0. If you have everything under control and have a great process for continuous improvement, you can reach level 3.

A very general model, the Capability Maturity Model Integration or CMMI was developed by the US government to correctly gauge the maturity level of suppliers in system development. It is perfectly usable for cybersecurity. Some governance models, such as NIST CSF have their own maturity levels (they call them ‘tiers’, from 1 to 4).

The maturity levels allow you to assess where you stand today, the ‘AS IS’ situation, or Current Level.
You as a board can come in when it’s time to strategically define the security level where you wish to be, based on your own risk appetite, competitive pressures, or a benchmark of your market. This is the ‘TO BE’ or Target Level.
The gap between current en target levels is what you want to close. Your security experts (internal or external) will create a roadmap specifying how to reach your target, by when and what budget is required.

That all sounds very technical. It can be… but the reporting doesn’t have to be. This is where the spiderweb chart comes in!

The chart allows for a great overview of the current and target levels. A yearly review allows for updates to the model which, when put next to each other, easily show the progress made in cybersecurity maturity over time.

So, when you next talk with management about cybersecurity, ask them which governance model they use. And then ask to get regular (yearly) reports on the status of your cybersecurity maturity. Get your spiderweb charts!