Nobody ever said scrutinizing and improving your Information Security Program was easy.
In higher education, this task becomes monumentally more complex due to the need to balance accessibility with security and privacy for a user base with a staggering range of needs and technical proficiencies. Between students, faculty, staff, researchers, affiliates, vendors, and campus guests, your institution supports the networking and technology needs of a whole spectrum of communities. This includes providing open networks to facilitate research collaborations with external partners, accommodating various new devices or applications on the campus network, and providing a high-quality student experience while properly protecting data and meeting compliance requirements. And for institutions with large, decentralized IT environments, everything gets even more complicated.
It is a delicate balancing act, with all sorts of undesirable implications for getting it wrong. It’s a puzzle worth solving, but one that demands careful strategy and foresight.
Moving from an ad hoc approach to developing a comprehensive Information Security Program that aligns with your institution’s mission and receives full support from campus leadership is a significant achievement. To remain effective, a strong program includes an operational workflow for continued strategic alignment, adapting as needed to any changes in institutional risk. This requires regularly assessing current and planned information security initiatives, ensuring appropriate scoping of program activities, effective communication within the community, adequate resource allocation, and endorsement by leadership.
How can you accomplish an Information Security Program review and determine its strengths and opportunities for improvement when many campus information security teams have limited resources available to proactively assess a program? Well, we have good news! A number of maturity model frameworks have been developed to help streamline this task and provide a way to measure your program’s progress.
Notable maturity model frameworks commonly used in higher education include:
Why a Maturity Model?
Using a maturity model to assess your Information Security Program offers several key advantages, including:
- A clear snapshot of your program’s alignment with industry best practices.
Organizations that use a common framework can establish a consistent and repeatable benchmarking process. This aids in gauging program capabilities and identifying areas for improvement. - A strategic view of your Information Security Program’s opportunities.
Comprehensive program maturity assessments enable leaders to make informed decisions to prioritize and optimize the use of limited resources. This increases the efficiency of your institution’s plan to strengthen the overall security posture. - A way to showcase your program’s success.
Repeating the maturity assessment and comparing your results year over year highlights your commitment to ongoing security initiatives. Effectively demonstrate program enhancements and progress over time.
“Without a systematic or iterative approach, it’s easy to lose track of priorities and the best way forward, even if your institution’s program has a solid foundation. Conducting a program assessment is valuable because it helps the team inventory current initiatives, prioritize efforts and resources, and align future activities. This process also highlights that information security is a collective responsibility for everyone involved.” – Chuck Lanham, Vice Provost for IT and CIO, Western Washington University
How Does a Maturity Model Assessment Work?
While performing an assessment, you’ll assign each program objective in your chosen framework a value for the institution’s current maturity level, as well as an aspirational maturity level. The aspirational value should be a reasonable goal for the next 1-3 years (or some other practical timeframe). There are a few different commonly used maturity rubrics, but they all have valuation levels that range from nonexistent and reactive processes and operations on the lower end to proactive processes and operations on the higher end. We encourage the assessment team to thoughtfully come to an agreement on the current and aspirational maturity values.
Discussion points that matter the most while assigning which maturity level matches each Information Security Program objective include:
- Is this something you haven’t gotten around to implementing yet? If so, is it at least on your roadmap?
- If the objective is something your staff actively manages, do you have documentation and a process to keep it updated so that you complete the objective’s workflow the same way each time?
- How much visibility do you have? Can you track your current functionality to know how well you’re meeting an objective’s goals? Do you have the ability to generate a report or analyze your efficiency?
- Do you think you could improve on an objective? For example, automate a process or make it less manual? Is there a solution you could purchase to perform this function for you or make it more efficient?
“Indeed, going through the maturity assessment exercise brought some surprises to light. However, it was great to hear them at a time of planning rather than in the heat of an incident. Gathering everyone for a discussion on our maturity scale helped set expectations and understanding, which benefited everyone involved.” – Johnny Inghilterra, Director of Information Security, Trinity College
An assessment like this provides a high-level view of your current Information Security Program’s breadth and depth. It will highlight which areas may need some additional thought or attention as well as showcase areas that are successfully developed and functioning at high efficiency. It also provides a view into the known opportunities, which may not currently be prioritized or appropriately resourced. Analyzing the output of a maturity assessment defines guideposts for improving your Information Security Program. The final step to a good maturity assessment would be developing your action plan. An action plan ensures that limited resources are efficiently and effectively used to strengthen the institution’s security posture.
Elevating Information Security Program Maturity: An Ongoing Process
Regular assessments conducted using maturity models are one of the most approachable methodologies to routinely scrutinize institutional Information Security Programs and related initiatives against the ever-evolving landscape of cybersecurity in higher education. These assessments provide a systematic and risk-based approach to pinpoint opportunistic modifications to the program strategy, helping your team analyze the current program, adapt plans, and continually enhance the institution’s cybersecurity capabilities.
Is Your Team Committed to Continuous Improvement? Conducting maturity assessments at a regular cadence also empowers your institution to demonstrate the progress that your Information Security Program has achieved over time, which communicates the value and importance of your program to campus leadership.
Need Help?
Our team of higher education experts is available to facilitate Information Security Program Maturity Assessments with your organization and assist with developing a roadmap for enhancing the maturity levels of your Information Security Program objectives in support of the institutional mission.
This post was co-authored by Senior Strategic Consultant Jacqueline Pitter, who advises clients on network modernization, information security program development, and technology architecture, and Senior Strategic Consultant Valerie Vogel, who advises clients on information security and privacy awareness and education programs, incident response programs, and IT organizational assessments. Jacqueline, Valerie, and Vantage colleague Sarah Norwood previously co-authored the blog “Turn the Tables and Build a Better TTX,” which highlights the importance of testing incident response plans with periodic information security tabletop exercise workshops.