Mistake or Misunderstanding?
There’s been quite a bit of buzz recently around the apparent failure of the ‘maturity’ approach to managing Cyberrisk. Maturity has been the mantra for many organizations for more than a few years, so after all that investment, why is it now a bad thing?
McKinsey summarized it nicely in their recent article ‘The risk-based approach to cybersecurity’, acknowledging that although this approach remains the norm, it’s now “A dog that’s had its day.” Instead, McKinsey encourages us to take a risk-based approach by spending the most energy and resources protecting what matters most to us.
On the face of it, it’s hard to disagree with this premise, but for those of us with more than our fair share of grey hair, it does beg the question, “How can maturity be a bad thing?” The answer is, it isn’t, and all the buzz probably has more to do with a collective mid-life crisis than actual maturity. So if maturity isn’t working for you, maybe you’ve just been doing it wrong.
If you were alive in the late 80s and early 90s then I’m sure you closely followed the US Department of Defense’s work to manage their way out of decades of disastrous software contracts. For years, software contractors over promised and undelivered products, which either simply didn’t work or routinely suffered massive cost and time overruns, wasting billions of dollars and years of progress. The DoD sponsored Carnegie Mellon University’s Software Engineering Institute to combat this, which resulted in the Capability Maturity Model.
The model lays out what a process’ maturity looks like at various stages of its life and guides us to evolve our processes, by clearly defining each stage. The 5 stages might be a familiar mantra to many.
1. Initial (chaotic, ad hoc, individual heroics) – the starting point for use of a new or undocumented repeat process.
2. Repeatable – the process is at least documented sufficiently such that repeating the same steps may be attempted.
3. Defined – the process is defined/confirmed as a standard business process
4. Capable – the process is quantitatively managed in accordance with agreed-upon metrics.
5. Efficient – process management includes deliberate process optimization/improvement.
The plan was for the DoD to use the model to identify those contractors who could deliver, and those who couldn’t.
Obviously, there’s a ton more guidance than this over the CMM’s 472 pages, but the model stands today as one of modern industry’s most widely accepted and clearest measures of process maturity. It’s not a solution per se, but it does draw a clear picture of what good looks like. I’m pretty sure most of us haven’t forgotten this sage advice, but for some reason, we aren’t applying it.
So, armed with our deep knowledge of maturity, why are we not succeeding?
Well, curiously over the last few years, it seems the Capability Maturity Model somehow evolved into the ‘Capability Model’. For some time now, we’ve been more focused on which capabilities we have, rather than how mature they are. Perhaps, like a Victorian parlour game, the capability message mutated as it was handed down from the source; think ‘Defense in Depth’ and more recently ‘Capability Gap Analysis’. A cynic might also point out, that there’s more money to be made from selling new capabilities, rather than maturing old ones, and I think this has been a factor, but not the whole story.
In her excellent article Measuring Maturity, Mary Poppendieck, warned us of the perils of trying to improve maturity by this kind of decomposition. To paraphrase her, ‘You can break a big problem like capability down into manageable chunks, but once you try and re-integrate them, you will probably find that the real issues were lurking in the cracks.’
Maturity then, is more likely the connective tissue that elevates a set of capabilities to the Capable and Efficient state we are striving for. However, this answer feels less comforting. It’s less tangible than the capabilities approach, because now we’re tasked with discovering some secret maturity ingredient that we need to deliver our desired state.
The Circle of Life
The truth may be that we’re searching for maturity, because were still a relatively young industry. Like most youngsters, we tend to strive to be something other than ourselves. It took decades for us to earn the respect of the business community that feeds us, but now that we have it, we mustn’t lose sight of why we’re here in the first place.
The economics of security are vitally important to our long-term success, but perhaps, in our board visible search for maturity, we’ve focused too heavily on the tangible economic outcomes, without properly understanding the risk outcomes. In many cases, we bet on technology over people and process and the result seems to have brought us full circle to the problem the DoD were facing way back when; solutions which simply don’t work, billions of dollars and years of progress lost.
Sure, we made some progress, but the latest data breach or ransomware outbreak of staggering proportions is probably only a few days removed from whenever you read this, so we shouldn’t be working on our golf swing just yet. Security technology has come a long way and there are a lot of good products out there, but let’s take a moment to strengthen our connective tissues first, before we throw our back out again.
McKinsey’s advice is to take a risk-based approach. They’re not wrong, but shouldn’t that be obvious? What would a mature solution be based on if not risk? As with most things in life, it’s the approach that matters. We can see further if we stand on the shoulders of giants, and the lessons of the CMM and similar work have already been handed down to us. After all, what is maturity if not the application of wisdom?