'

How your company can measure its 'cyber resilience' and evaluate its posture

Non-profits ISACA and CMMI help companies score their cybersecurity readiness and create a gap analysis to get up to speed.

Robert Clyde, vice chair of ISACA Board of Directors, spoke with ZDNet's Jason Hiner at this year's RSA Conference.

Watch their conversation in the video above, or read the transcript below:


Jason Hiner: So, tell us a little bit about what ISACA does, and the kind of stuff that you're focused on right now.

Robert Clyde: Sure. So, ISACA is a professional association, but we really exist for encouraging and instilling confidence in technology. Now, that sounds like cyber security at its core, and we also own CMMI. So, we have a mission both, for the individual professional, where we have many members and others. We have 140,000 members, a half a million professionals that engage with ISACA every single year.

Jason Hiner: Wow.

Robert Clyde: Either through certifications or knowledge that they want to get. And then, we also serve enterprises by providing them with the necessary confidence that they can have, and the capabilities of their technology organizations.

Jason Hiner: All right, fair enough. So, you guys also do research.

Robert Clyde: We do.

Jason Hiner: And you have some recent research that's come out. And so, let's talk about, first, some of the technical parts that you found, and then there's some soft skills, or cultural parts of the research as well. But let's start with some of the technical stuff. What were some of the big findings that you guys came up with?

Robert Clyde: So, on the technical side, not a big surprise, for those of us who've been in cybersecurity for a long time.

Jason Hiner: Yeah.

Robert Clyde: But we did find that more than half of our respondents expect that the threats, and the attacks will actually increase this year. As they thought last year-

Jason Hiner: Sure.

Robert Clyde: And the year before. And the year before that. In other words, as we move forward ... and I think, not necessarily because we're not able to do a good job as security professionals, but because the complexity of our environments, and at the same time, the increasing sophistication of the attackers, and funding of the attackers, make it challenging. And that challenge just seems to grow faster every single year.

Jason Hiner: So what were some of the top data points from the study, that you guys are talking about this year?

Robert Clyde: Yeah so, good news, we found 64% of security budgets were increasing. So almost everybody said, "Yeah, our budgets are getting bigger." And yet, at the same time, we've had this tremendous skills gap that continues to grow. And we actually had more people this year say that they were having trouble hiring people than even last year. So, we have a situation where only 20% said they could fill positions in two months or less.

Jason Hiner: Okay, wow.

Robert Clyde: That's not so good. After six months, 25% are still unfilled.

Jason Hiner: Still looking, okay.

Robert Clyde: And some say they can never fill them. And so, it's not just a money problem, clearly. It's a talent gap issue. And by some indications, by the year 2020, about two million positions will be out there to be filled.

Jason Hiner: Just in cybersecurity.

Robert Clyde: Just in cybersecurity. And there's just not enough, in terms of talent, to go around. So, we've gotta find other ways of cross-training, and perhaps looking at other areas of our population, that we might bring in cyber security professionals.

Jason Hiner: So, do you have recommendations, with all the work that you do, certifying people, education ... primarily, a big part of what you do is education related. Are there recommendations that your organization makes, on how to solve it?

Robert Clyde: ISACA has quite a few recommendations.

Jason Hiner: Good.

Robert Clyde: So, we have looked at this problem, now, for several years, and talked to a lot of our experts, within the industry, that are members of ISACA, to get their advice in this area. So, first of all, look at people in adjacent fields. Just don't try to steal people from other companies. Because that's all that tends to happen right now, and-

Jason Hiner: It's a zero sum game.

Robert Clyde: It's expensive, and now it just means the next company has to look for somebody.

Jason Hiner: Sure.

Robert Clyde: So, a lot of turnover in the industry is not necessarily a good thing, so we need to actually build the pool, and that takes a concentrated effort. So look at network admins, for instance. Look at people in other fields, anywhere in IT. Computer programmers that have been programming for 10 years, and are ready for a change. It might just be somebody that has a strong aptitude for math and science. I've known physicists, for example, who've made great cybersecurity experts.

Jason Hiner: Cool

Robert Clyde: So, we can go to non-traditional avenues and look at cross-training people, and come into cyber security. So, that's one avenue.

Jason Hiner: Great.

Robert Clyde: I think another important aspect, is in fact, the education. And we should consider that this a field where non-traditional education ... in other words, is the four year degree the most important thing? Or is it training and certifications from organizations like ISACA, and many others that are out there, that might actually be more important. And I would argue that in this field, in particular, getting a good, solid, technical foundation, maybe even just one or two years at an educational-type program, IT or some type of technical training, plus appropriate certification, is probably more valuable, and less expensive than a four year degree. So, something for universities to be thinking about what they're offering. Many have already started figuring this out. And for companies to maybe stop asking that they have a Bachelor's as the minimum requirement, because I'm not sure that is the minimum requirement, in order to go into this field.

Jason Hiner: Okay, fair enough. Now, one of the things that could help solve the gap, was also in your research. And that is, the gender gap in this field. It obviously reflects the larger gap in the field itself, but it is particularly acute in security as well. What did you guys find there?

Robert Clyde: Yeah, we've noticed this problem at ISACA, for some time. In fact, we started a program called She Leads Tech, and have funded that, and it's been very active, and having tremendous affect. But one of the things we've seen, both anecdotally and from other surveys, sadly, is the mix of men and women in the cyber security industry has held steady at about 11%. We're not making progress. So we said, this year, for the state of cybersecurity report, we're gonna ask a gender related question. A diversity question. And so, we asked companies a fairly simple yes or no question. "Do you believe in your organization, that the advancement opportunities for women are the same as for men? Yes or no?" And interestingly enough, across the board, there was a 31% gap between the way women answered the question, and the way men answered the question. 82% of men, only 51% of women.

Now, this is where it got exciting. So, I was like, "Man, that's worse than I thought it would be. I was hoping it would be better." This is where it really got exciting, because we also asked, "Do you have a diversity program at your organization? Yes or no?" Well, if you answered yes to that question, we took a split. So, organizations that had a diversity program, that gap narrowed to just 10%.

Jason Hiner: Ah.

Robert Clyde: So, when you ask the question, "Do diversity programs work?" They actually make a difference, at least for the field of cybersecurity-

Jason Hiner: It appears like they do.

Robert Clyde: It's a big difference. The ones that said no, the gap was 37%. So, organization with diversity programs, 10% gap. Not bad. Getting there.

Jason Hiner: Work to do, but yeah.

Robert Clyde: The rest, 37%.

Jason Hiner: Not good.

Robert Clyde: Lot of work to do. So that, would be one of the big, "Ah-ha," moments from this is, you know what? It helps. It really helps.

Jason Hiner: Yeah, very good. All right, so let's talk a little bit about CMMI, because you guys don't just do education, but now, you're also doing some proactive work that helps people figure out where they sit with cybersecurity, and how much work, maybe, they have to do, in their work. And so, why don't you talk a little bit about what CMMI is, and how it came to be part of ISACA, first?

Robert Clyde: Sure, yeah. Let me start with that. So, CMMI was started by Carnegie Mellon over two decades ago.

Jason Hiner: And it stands for? Sorry.

Robert Clyde: Capability Maturity Model Institute.

Jason Hiner: Very good.

Robert Clyde: And it came out of the Software Engineering Institute of Carnegie Mellon, and I definitely want to give them all the credit for having the vision to create this. And the idea was, to provide a way that you can measure the capability of your software development or IT departments, in terms of how mature they were. And they had a one to five scale. It's very popular. It's used around the world.

It's used by governments during procurement processes, where they'll actually ask, "So, you develop software, great. What CMMI level are you at?" And you'll see firms in India advertise, "We're CMMI level five," the highest. So, very well known. Well understood. And for years, people have been asking, "Can we have something like that for cyber?" And I use the word cyber because it's more than just cybersecurity, it's really, if you think about maturity, you move towards cyber resilience, is maybe the only point to get to. "Can I stay up? Am I running all the time? Do I have the right privacy elements in?" So, cybersecurity, a key piece of it, but not the only piece.

So, Carnegie Mellon came to the wise decision that it was actually time to let CMMI live on its own. And it was time that, in order to grow and do what it needed to do, move outside of the university environment. So, they spun it out, and wanted an organization, ideally a non-profit association would be great.

Jason Hiner: Yes.

Robert Clyde: And we were there. ISACA was large enough. We had the wherewithal, which you kind of heard a little bit about us, to actually buy CMMI, and bring it in under the ISACA umbrella. Which we've done. It's been now, part of our organization for two years.

Jason Hiner: Very cool.

Robert Clyde: Thrilled to say that I was actually on the board when we did this move. I remember it well. And there was broad, broad agreement that we needed to do this, and have this chance to serve the enterprises that our members are a part of, and the people who look to ISACA for guidance, are a part of, because we've had COBIT, we've had Enterprise Guidance, but now we have a vehicle that can actually provide that. So-

Jason Hiner: Nice.

Robert Clyde: We've actually made a pretty big announcement now at this conference, relative to CMMI.

Jason Hiner: All right, let's hear it.

Robert Clyde: So, we have come out with the first release of the Cyber Maturity platform. And with this platform, you can actually assess your capabilities, and even more importantly, because it's not just good enough to assess-

Jason Hiner: Sure.

Robert Clyde: You can get a road map, a risk-based road map to where you want to get to, in terms of maturity. Because many organizations may find, and it uses the familiar level one through five, so we tried to keep it in an area that boards, and others, are already familiar with. The second key component, though, will answer a question ... and as you heard, I'm on a number of boards. I frequently interact with other directors. And I can tell you, here's the question they all ask about cyber. "So, where we at? Where do we stand versus other in our industry? Are we good? Are we bad? Are we getting better, or worse?"

Well, up to this point, those have been really hard questions to ask.

Jason Hiner: Very subjective, right? Very, very subjective.

Robert Clyde: In fact, you generally tended to have the questions be like, "Did we get broken into, yes or no?" And in this day and age, the answer is, "Yes. Should we tell you how many times?" And, "Will we get broken into again?" "Yes." The question is, how do we handle all of this, and what's our level of maturity? And so, not only can we get this information, but we'll actually be able to slice and dice it by industry, company size, and many different areas. And you can actually bet a bench mark. "How does my organization compare against others like me?"

Jason Hiner: Yeah, nice.

Robert Clyde: And, "Where's my target of where I want to get to?" So now, I can have a discussion with my board around my maturity. Around really, where am I at? And have it come from, not a vendor who might ... you know, I love vendors. I've been a vendor my whole life. In my day job. But trust me, vendors, when we do assessments, the answer is always, "And oh, by the way, we have a tool or a service," that'll just happen to-

Jason Hiner: To fix that.

Robert Clyde: Fill the gap. To do our assessment, but we could care less, what the answers are.

Jason Hiner: Sure.

Robert Clyde: We actually, just as with the other CMMI work that was done, we just wanna give you a real answer, and an answer that will be viewed well by the community. So, it maps to NIST, it maps to ISO 27001, it maps to COBIT, it maps to frameworks that people are used to, and they can answer those questions as well, at the more technical level, the regulator level, et cetera, of how well they've mapped to well known frameworks, all built into this single capability that we've built in the Cyber Maturity platform.

Jason Hiner: Cool. So, if I'm a CIO, or a CISO, and I say, "Great. We wanna figure out where we're at, and we would like you guys to help us do it," Where do they get started?

Robert Clyde: Sure. So, just contact CMMI. It's out there, now, on our website. You can find it, go there, ask for some information. By the way, if you're here at the show, please, come by our ISACA booth.

Jason Hiner: Cool.

Robert Clyde: We're actually doing some demos that you can arrange, if you have time. I know it ends on Thursday, but if you have time, there's some demos that are available to see. Or you can arrange a time for us to be able to show you over the phone, a demo of what it can do. And then, you can get started. You get started with an initial assessment of one of your business units, if you're a large organization. Or even an assessment in total, for a smaller organization. And we'll take you through this process.

Jason Hiner: Nice.

Robert Clyde: To find your target. So where are you trying to get to? You shouldn't probably try to get to level five on day one, just as with-

Jason Hiner: Sure.

Robert Clyde: Older CMMI. And we'll help you figure out, through the platform, we'll actually help guide you, so it's not just picking numbers out of the air. It actually guides you to this through well-prepared questions, and the guidance will lead you to what your target should be. Then, you'll be able to do an assessment, and then actually get a road map. And track progress.

Jason Hiner: Nice, yeah.

Robert Clyde: So, it's not just a point in time, but it's continuously updated, unlike a spreadsheet. It's gonna be continuously updated all of the time, so that you can actually see movement, and answer the board, "Hey, we were here before,"-

Jason Hiner: "And here's where we're at now."

Robert Clyde: "And we're better." Life's getting better.

Jason Hiner: So, it's not necessarily a busload of consultants and a zillion dollars. It can start even with just a phone call-

Robert Clyde: Yes.

Jason Hiner: To get it started?

Robert Clyde: It's a very easy, simple way, in order to get started. Now, if you're a large organization, might you hire some consultants to reach out to one of the big four-

Jason Hiner: Sure.

Robert Clyde: To assist you to reach your target, or buy some vendor's products? Most likely. So, I don't wanna make it seem like this is a push one button and your security issues are over. But I think it fills that critical need that Boards have been asking for, to answer those questions of, "How good is my security, really?" Because answering it at ... which is the default way they have been doing it, "Did I get broken into, yes or no?" Most boards are now savvy enough to know that's a useless question.