What’s Risk Management Maturity?

Recently, I was sitting a room of information security professionals discussing FAIR with Jack Jones, and the discussion took a typical turn: maturity. “We’re not very mature” comes up in almost every conversation I have with organizations, so it was no surprise that people wanted to ask the creator of the FAIR risk model his thoughts on risk program maturity.

And his response was perfect: “Where we are, as a profession, it’s like we’re doctors relying on bloodletting.” Besides inducing chuckles, it also prompted a great discussion about risk management program maturity.

Maturity is a topic in almost every initial (and follow-up) conversation I have with security teams. At some point, the words “we aren’t very mature” are stated in one form or another, despite the sophistication of the tools and the technological skills within the organization. Whether they are a two-person team or a 60-person team, they still suspect that there must be a better way – that their heat maps, maturity models, GRC tools, and compliance checklists are not getting the job done.

As Jack sees it, common maturity models in our profession are missing the point by focusing on what he calls “lagging indicators” – that technologies or processes we can check off our checklist mean that we’re more mature.  Those maturity models don’t have a clearly defined meaning of maturity – a higher score is simply better than a lower score. “They don’t really define what maturity represents,” Jack says. “Many of us know organizations that score reasonably well on common maturity assessments, but have significant difficulty prioritizing well or executing reliably.”

Jack has a more practical definition of maturity:

A mature organization is one that can cost-effectively achieve and maintain an acceptable level of risk.

He breaks maturity down to two components:

  1. Can decision-makers make well-informed decisions, based on visibility into the risk landscape and quality of the risk analysis and reporting?
  2. How reliably can personnel, based on awareness of what’s expected of them, their skills and resources, and levels of motivation, execute against risk management decisions?

Mature organizations are the ones that are able to “reduce noise and focus more effectively on truly high-risk concerns, choose cost-effective solutions for the risk management priorities, and execute reliably,” says Jack.  There’s still a place for compliance standards – “guardrails” as he calls them – but they’re one of the available tools, not the end point.

So, where do you start? How do you move past bloodletting to “achieve and maintain an acceptable level of risk”?

Begin by calibrating how people think about, analyze, measure, and communicate risk.  Implementing the FAIR model is a solid step in that direction and forms the basis of “well-informed” risk-based decision-making.

This begins with providing your staff training in FAIR, with its clear and consistent vocabulary and model – and analytical tools like RiskLens – and you’re giving  them a clear understanding of what’s expected and the skills and resources to execute.  “Maturity” may still be moving target – in the fast-changing landscape of cybersecurity that’s given – but your risk organization can stop wondering about what “maturity” means and focus together on growing up.