Security Maturity Model, Part 1

Security Maturity Model
© sarayut_sy – stock.adobe.com

When it comes to businesses and enterprises, cybersecurity is predicated on multiple factors – whether it be the number of employees, how the environment is deployed, potential attacks and attack vectors, the type of devices used in the ecosystem, or the corporate device usage policies. On top of these factors, there is a vast array of security solutions to choose from, each claiming to protect your ecosystem and avoid costly downtime or – even worse – damage to your reputation. We will discuss how these various solutions work in conjunction with each other to provide a comprehensive security posture addressing a business’s unique needs.


Adapt Your Security Posture as Your Business Grows

To illustrate how security posture needs to be adapted as the company grows, we will break our security maturity model into 4 levels. This may not encompass all organizations, but shows the progression required in the security posture as an organization changes and matures.


Security Maturity: Level 1

Level 1 of the security maturity model mostly consists of Small Office, Home Office (SOHO) businesses. This type of business typically consists of a very limited number of employees, sometimes even a single person, working from either a small office or even home office. There is no dedicated IT infrastructure nor personal, using free consumer online collaboration tools like Gmail and unmanaged personal-owned devices (desktop and mobile).


Security posture:


Insure your business

Potentially losing ALL your data, including customer data, might seriously damage your business if not compromise it completely. While larger corporations might be able to pay requested ransoms, even if not openly acknowledging it, smaller business would not be able to do so. Make you sure you balance the cost of a cyber insurance policy that covers ransomware attacks as opposed not having one. 


Protect your data

Ensure corporate data, including customer data, is safely stored, both locally on your desktop computer (using OS and/or disk encryption) and online at your cloud service provider (enabled by default). Also make sure your data is backed up/synced to an online cloud storage so you can recover it at any time if needed. Finally, use a password storage software, preferably an online service, to store and manage all the credentials you must use daily; this will also help to avoid reusing the same credentials for different account and/or weak, easy-to-guess ones.


Protect your endpoints

Have an antivirus software of any kind installed on your desktop computer to protect from known threats. If budget is an issue for now, there a couple of free consumer solutions available that would deliver basic protection. Take care of maintenance tasks like installing OS and software security updates regularly to keep your computer and its data as safe as possible from possible exploits.


Security Maturity: Level 2

Level 2 of the security maturity model is primarily for Small and Medium-sized Businesses (SMB); the number of employees increases significantly from a dozen up to hundred employees and is usually located in one central office location, plus some employees working permanently or occasionally from their home office. There is usually one “Jack of all trades” employee (or two max) dedicated to managing IT using online collaboration tools (e.g., Google Workspace) and a mix of management corporate-owned and personal-owned devices (desktop and mobile). In some cases, some companies might even have a small, local datacenter to host a separate IT infrastructure for specific business-related tasks, such as a software development company building and testing their software in real-life conditions.


Security posture:

Insure your business ​

Protect your data

Protect your endpoints – UPDATED

Traditional antivirus software, using a reactive posture to protect only from known threats, is no longer enough. It is time to allocate a budget for it and move into a next-generation antivirus solution, adopting a proactive, predictive approach to prevent cybersecurity threats, like a Mobile Threat Defense (MTD) software.


Manage your endpoints (UEM)

As the employee base keeps growing, so does the number of endpoints, from desktop computers to smartphones or tablets, as most employees tend to have more than one for both work and private usage. Unified Endpoint Management (UEM) solutions become a must to manage all these endpoints, either desktop or mobile, personal-owned or corporate-owned, and provide them with what your users need in term of work apps. This is transparent but controlled access to corporate networks (Wi-Fi, VPN), but also enforced security on them (change password, install OS updates) to ensure they are always compliant with your internal requirements.


Protect your local network

When allowing remote access to your local network, for example to roaming or home-based employees, you will need to protect access to your network. One common option most customers use is Virtual Private Network (VPN) software, usually for desktop computers as it will allow them to connect to most internal resources as if they physically were in the office. For mobile devices, the best option is usually to use the solution offered by your UEM software vendor, which would either use their own global private data network (e.g., BlackBerry UEM) or an alternative based on VPN but specific to mobile apps (e.g., per-app VPN), so security does not interfere with end-user experience.


Understanding your business and the operational needs of your cybersecurity solution is paramount in providing the right solution to address your specific vulnerabilities. There are solutions available that are cost-neutral, however, they may not provide adequate protection or do not address ALL of the vulnerability within your organization. The immediate benefits would be recognized as cost saving, however, if there is an attack, that cost saving is immediately lost. The team at ISEC7 can provide an objective assessment of what can address the needs of your organization and/or risk mitigation needed to enhance your current solution.


Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group