Listen on these platforms
Brief summary
One of the fundamentals of security is self-awareness: knowing where you may be vulnerable, the practices and processes that aren't yet quite in place and what actions you need to prioritize are essential if your organization is to excel at security. But how can that be done? In complex and distributed teams, surfacing such knowledge can be incredibly difficult. One solution, though, is something called a security maturity model.
In this episode of the Thoughtworks Technology Podcast, Thoughtworks alumnus Diana Adorno and current Thoughtworkers Lisa Junger and Robin Doherty speak to host Alexey Boas about a security maturity model they've developed that was recognized by the prestigious CSO50 Awards. They explain the purpose of developing and using one, how theirs works and why it should matter to any organization that wants to get serious about the way it does security.
Episode transcript
Alexey Boas: Hello and welcome to the Thoughtworks Technology Podcast. My name is Alexey, I'm speaking to you from Santiago in Chile, and I'm going to be your host this time. This time around, we get an opportunity to talk about security in organizations. For that, we have Diana, Lisa, and Robin here with us from a couple of different places, I guess. Maybe we can do a quick round of introductions. Diana, can you kick us off, please?
Diana Adorno: Yes. My name is Diana Adorno, and I'm a product designer and a qualitative researcher. I've worked with Thoughtworks for 14 years and spent 3 years with the InfoSec team. My background is computer science and applied psychology.
Alexey: Thanks, Diana. How about you, Lisa?
Lisa Junger: Hey, I am Lisa Junger. I am speaking to you from Hamburg, Germany. My role currently in Thoughtworks is the global head of security operations. I've been heavily involved in the thinking around the security maturity model, so I'm really happy to be here and share my thoughts.
Alexey: We're happy to have you. Thank you. How about you, Robin?
Robin Doherty: Hello, I'm Robin Doherty. Like Diana, I'm based in Australia, although I'm in sunny Brisbane and she's in sunny Perth. I joined Thoughtworks about 12 years ago as a developer but now I'm a security guy. I've switched between a few different operational and consulting roles in my time here. I've done some security consulting with Thoughtworks, particularly on security strategy. Last year I was the acting CISO for one of our clients. These days, I'm back at Thoughtworks leading our team of business information security officers or BISOs, who are many CISOs for business units within Thoughtworks so very relevant to the topic for today.
Alexey: Cool. Thanks, Robin. Today, we're going to talk about the business security maturity model you all worked on. One important thing to mention is that was one of the nominated and one of the winners of the prestigious CSO50 Award last year in 2023. First off, congratulations to you all on that. It's really amazing. Maybe let's start at what the model is. Maybe, Robin, can you tell us a little bit about the model structure, its parts, and how they come together?
Robin: Yes. I should start by saying how this came about. It's started with a question. We're a bit of a federated organization, so our countries are like business units. Diana asked us, asked me in the very start of her time in the InfoSec team, "If you drop into a new country, how do you assess the real estate of their security?" I started listing off things that I would look into and check and it's not just about whether you're following the NIST cybersecurity framework or ISO 27001 controls framework but more about what does the business leadership need to be considering to drive a good security culture.
From there, we ended up developing this model, which started out as a spreadsheet. We have a lot of analytical people in the security team, as you might imagine. Having come up with what we thought were good dimensions for this model or areas that we thought you would need to assess or invest in if you are a business unit, we then started to say, "What does good look like?" We developed maturity levels for each of those dimensions. Actually, we broke the dimensions down into multiple sub-dimensions.
The dimensions are things like having good leadership engagement, having good governance of your security risk, making proactive improvements, which is something we're very keen on at Thoughtworks, in implementing an approach to learning lessons from security incidents, even very small ones as they happen. Having a security champions community and investing in that and making sure that people are learning about security, both from an awareness point of view and also a deeper capability building point of view, having secure software development practices, handling data well, and a couple of other things like that.
Each of those there are 10 of those. Each of those is broken down into maybe 5 or so more attributes. We figure out what does very good look like. We call that level 5, and that's where we want to get to ideally, but we recognize that that takes time so we've got steps to get there defined. As I said, we're analytical people. [chuckles] We developed this big spreadsheet and we said, "Right, let's get going. Let's get moving and getting everyone to improve all around the world in our different countries."
Diana bringing a slightly different skill set to the team, encourage us to think a little differently because when we showed this big spreadsheet to people, they just glazed over because this is, you don't have a big security background in every leader in the business and you don't have the time as the leaders to consume that. We had to come up with a way for visualizing this.
A big part of what the maturity model actually is is the visualization of the current state. With the visualization that we have, business leaders can compare their business unit to other business units and we can make a plan on a regular basis to get from one level to the next in certain dimensions, so as to encourage that continuous improvement of security and maturity largely focused on culture and those 10 dimensions that I mentioned.
Alexey: That's a great sum up. Thank you so much. Then let's delve deeper into some of those as we continue the conversation, but I'm curious. It was one of the winners of CSO50. What were some of the key elements for that and what's the value the model brings? Maybe, Lisa, you can talk to us a little bit about that, the benefits we get from the model, it's value, and how relevant it is for the broader industry.
Lisa: Sure. The CSO50 Award, for those who may not know, innovative approaches at that intersection point between business and security and I think it's been ever since the existence of thinking about protecting your systems and all, like one of the core questions that businesses continue to ask themselves. How do we make sure that we have the right strategic focus and that we drive the right prioritization given the business context, the business intentions, the risk that we are seeing. I think why it's been awarded is it really tries to bring out that question.
It tries to change the conversation about security, but not in security or technological terms, in actual business terms, in addressing that question of how do you make security everybody's responsibility, really. It's something that's easy to buy in as a saying and I think widely spread and met much heard but it's really hard to find ways that give you a good angle to it, so that you could actually focus on what does security mean for different people across the organization? How do you get a language in place that empowers business leaders to make decisions? Because we all make security decisions every day, just by the plain fact of doing our job, whether it's directly related to security or not.
I think that was the bit that really drove the award-winning. It may not have all the answers to it, but I think it's really trying to articulate that problem space. That is something that the industry, I think, hasn't really-- Is not well traveled area in security today. We're looking to make those steps together with other organizations in our industry.
Alexey: That's cool. Maybe to get a better idea of how it came to be and what were the challenges you were looking into at the time. Robin, you talked a little bit about that motivation of you get to a business unit or in the case of Thoughtworks but a country and understand what's happening there and how to move forward. Maybe can we talk a little bit about that? Why have a maturity model? What was some of the motivation for building it in the first place? Diana, maybe you can speak a little bit about that.
Diana: I did want to build on both Lisa and Robin mentioned is the original motivation was, for me, it was very much because I was coming into the team from a different perspective. I'm not a security specialist, but I do specialize in understanding people. Ultimately, what we were trying to do is shift people from their current way of working into where they were naturally integrating or thinking about security. The question is how do you do that.
The starting point was, again, asking that question. I did observation when I first came into the team and noticed there's lots of fantastic work happening. It asked a question about, how do we make this easier for people to understand? I did some research initially just to understand the perception, so who understood security and to what level? The motivation came down to us, how do you bridge that gap between people who are experts in security and people who are in the business area with very different focuses and different responsibilities?
When I started to think about it-- I'll start with my perception first, which was trying to build something that I would call a conversational framework which is a way to build that gap in conversation, and from there, it then moved on as we worked together, worked with Robin and with Lisa saying, "How do we then make it a bit more like an improvement framework?"
Then as we evolved it further, I think it looks like a maturity model. That's its history, that's its motivation, which is to improve conversation, is to help improve. Ultimately, there's a few different ways of implementing it so that there's some autonomy, I think, in the business leaders where they can say, "We can use this to help ourselves," but create a little bit of autonomy to be able to make those changes for themselves.
Alexey: That's interesting. Previously, I was running one of the business units in Thoughtworks in Chile. I had this role of managing director for Chile and we were using the model. It's interesting to hear you're talking about the intentions and how it came about because I could feel some of that on the ground and actually use some of those things. It was interesting because from my personal perspective, it helped a lot in understanding what was going on. I remember that we did an unstructured brainstorming session about what we need to do about security in the country. Then we applied it and we ran one of the workshops based on the model and the views were very different.
On one hand, we just had a couple of random ideas, important things, of course. On the other hand, it felt like something that was much easier to implement and to follow through, and so on. Robin, going back to what you're talking about the structure, I think that was really an interesting thing to see because in the unstructured version, we had different levels of granularity and we have different areas or people accountable for things all mixed up. Then the model really gave it that structure, all right, we have a governance body, we have who is going to implement each of the things, and we have who is it that we need to involve? That suddenly became much clearer, so that was interesting to see.
Lisa: Just adding to what you say, it's really interesting to hear your insight perspective, in a way, [chuckles] looking at it from the security teams side of things. I think what's interesting about the process of implementing the model is that with that analytical approach, we were going by, what do we think? How do we bring in the perspective of the leadership across the different dimensions? How do we have that conversation? It really eventually led to a conversation about we can only do so many things at a time. What is the priority and how does a framework, like the one that we are using now here, help the connection?
It ideally makes it much easier for the business unit to know what services to leverage from, let's say, a central security team, what are things that are already in place and can maybe be brought to a better implementation given the requirements that the needs in the business? Connecting those ends I think was a really interesting effect of those conversations in individual countries around the model.
Alexey: That was really the case, Lisa. Also because we have levels of maturity, that also helped us provide visibility to everyone inside the business unit and also to the global structures about, what are the critical things we need to look at? That helped us for, on one hand, prioritize and also be at peace with the fact that these are the things we're not going to look into right now and it's fine [chuckles] because we have a longer-term plan but also understand, here are some critical things we need to fix immediately. Here are the things we need help with. Also, in a way, help the business unit make a business case to global saying, "I need help with this, and this is why. Look at what we receive from the maturity model."
That was interesting thing about unifying the language and unifying the conversation so we're all speaking about the same things. Also, understanding some of the things, this is the things we need help with. I remember that when we asked for help for a couple of things, the first question that came back was, and as you said, Robin, one of the first dimensions is, do you have leadership involvement? At the business unit level, is the leadership involved? Do you have executive support and all that? Is that in place? If that's not in place, that's really the first thing you need to do locally and then you can go for some other things. That dynamic was quite interesting and it provided a common ground for conversation, prioritization, and running things as well.
Diana: I was just going to say, Alexey, that's really good to hear. It was really interesting to hear your perspective. When we design the model, we are hoping for certain behavioral outcomes. We're hoping that it changes behavior in some way. It reinforced that first step, which is that engagement with leadership and a genuine working relationship was not just a third set but it was essential for the success of it. It was really nice to hear how you implemented it.
Alexey: The other thing that happened and I'm curious to hear your thoughts about that. It was communication across business units. At the time, we were working on that in Chile and Ecuador, which was another business unit of Thoughtworks at the time, we were working very closely in collaboration. By using the model in both of the countries, we were able to understand, all right, so which initiatives should we run jointly? Which ones are going to run separate, and how does that work? In Thoughtworks terms, being a consultancy, we have accounts that cross business units.
We had a look at some accounts and thought from that perspective, and then what some of the things that the account needs to do for the client and for the account structure, but also, what support does it get from the business unit? That cross-country collaboration was also quite powerful and quite interesting. In a way, it provided a language because we could talk in similar terms about so this is the level we have in this place, in this other place and then we could devise those joint initiatives. I wonder how those kinds of things and that collaboration was in your minds in the original design and thought about and how did you expect that to happen?
Robin: All right. I think that's something we planned for. [chuckles] We knew that making problems visible, making maturity visible would be motivating for our business leaders. The idea of introducing some friendly competition, or to look at it another way, collaboration between the regions was part of our plan and I think it was very effective. Making it visible, introducing that opportunity for different countries to learn from approaches that were working well in other countries. The other thing that we were trying to address here was we knew anecdotally that everything wasn't perfect, but we started doing some research to figure out what was wrong. That's partly what led to the items in the model.
There's this clash between what we thought, which is security is everyone's responsibility is a maximum security that most security people [chuckles] would tell you. The reality in most places, which is a lot of people think of security as a very technical specialist niche, and Diana's research really brought that out. The other thing I'd say is we saw different incident reporting rates and we saw awareness training that covered phishing but not everyone knew what phishing was. That highlighted maybe. Maybe that awareness training doesn't get you all the way to security as everyone's responsibility and that was part of the motivation for introducing this as well.
Alexey: The other thing I'm curious about and I can talk about my experience in Chile. It was about following up and seeing progress. I quite like the levels of the model because they provide that structure. If you're following up on specific actions, you're following up on an assessment of the results that you were getting and I saw a lot of value in that. It's interesting that you talk about healthy competition, Robin, because I saw some of that on the ground.
We're doing really bad on this, so we need to fix it quickly and let's see how it changes in three months and things like that. That was interesting. I'm curious to hear your perspective about that what have you heard from other regions or other countries implementing that? How did it evolve over time? I found it really useful for seeing that progress, showing progress as well, and based on not just on, oh, we ran this, this, and this but this is the results that we're getting from the initiatives that we're running. Looking for outcomes and all outputs so to speak.
Lisa: That's an interesting bit because there's a bit of a risk with numbers, especially number metrics, especially in the areas where it's not just about that and it cannot as easily be measured in its entirety. One of the first things that we heard when we are talking about the approach to our global group of stakeholders was exactly the question of, can we see the results of the other countries or of all of the countries so that we get a chance to talk to one another about the places where apparently a different regional country is stronger against that maturity model than maybe your own and what can we learn from that? There was this immediate question that came out.
By doing that, I think that triggered a lot of peer-to-peer conversation between different regions, and then coming back to the numbers risk. Not only that but I think the conversation around the model and the empowerment of really understanding what it takes to build or drive security poster for the business unit that you're responsible for, helped articulate, also what you said before, why some areas may not be at the same rate but why that's maybe also okay given the specific context that this region is currently operating in or the fat landscape or all of the things that you would probably before that have much more strongly pointed to some technical advisor.
That's obviously still a resource to pull on but empowering that thinking about, why do we think it's okay to be where we are or why are we at the place that we are for the modeling, let's say, dimensions that other people ask us about, especially peer to peer. It's a very different conversation when one business leader in one country talks to another business leader in another country than having that going through the security team, funnel that can change the way that that's being discussed.
Alexey: How about the global perspective? I mean you were all involved with the global structuring of Thoughtworks that would support all of the region, the business units. How did it help you get insights about what happened? Did it help identify patterns or strong bottlenecks that were present across the board and also structure initiative actions from that global perspective based on the results you were seeing?
Lisa: I think first and foremost for me, it brought out a clear understanding of what our business is afraid of or feels is important. We have a very strong technical security shape perspective on this but really what is that input from the business because our risk is business risk? What are the risks that we should be really focusing our efforts on as the security team and then supporting that more centrally? Beyond patterns in the results, I think that to begin with, just getting that input on how are things being prioritized in the conversation with-- Maybe that's a different prioritization than we would've done it in "isolation" or as in a conversation within the security team.
I think that still is a really interesting input to our priorities and the security strategy across the organization. Then I think beyond that, there are just a few things. We've always been monitoring reporting rates for security events. For example, we've been comparing them but learning what are the drivers for those from a business perspective, from a regional culture perspective. What are the interventions? How are they different to what you would maybe do if you just blanket state look at the whole organization if it was the same thing?
Diana: Having that common language and those measures, like doing the assessments. There was one stage we did a global picture where we had grafted all of the countries side by side and we intentionally got it into a single picture. It was really interesting when we were showing all the leaders of those different countries and you could see people leaning in to see where they sat compared to others and picking up...
I don't think it's natural — a bit of a thought Robin was saying about natural competition — but I think people want to understand who's doing what and who's doing better predominantly so that they can ask and say, "What are you doing? Where you're doing better in one area rather than another?" I think that that was really useful. Using that data-driven approach, like getting some data because it's a really large area.
Coming up with something where you could actually do an assessment, do some measure, and build a single picture that people at least could have a starting place to compare with others. Alexey, I think you mentioned it, [00:26:52] this is one of the see difference between when you're talking about the different countries that you were looking at, want to understand they're no two countries are doing it in exactly the same way and it's not a test tube. It's out in real different business context. It's a guide but I was surprised how powerful it was to get that single picture so people could start to compare and share stories about what was working versus what wasn't.
Robin: I think the most useful part of collecting this data for all of the business units was we got to see how different countries run security champions programs. There's been a lot of effort and investment across Thoughtworks in different countries on security champions programs. Some of that has been quite organic so they end up not being exactly the same.
We have different approaches to training and assurance programs that having seen them all, we were able to come up with what is the actual-- The approach that we should take globally and we're working on that now. It's been hugely valuable to the security team to be able to collect the information and have people talking about it and sharing and learning from each other.
Alexey: That's interesting. We're talking about the model, how it is right now, a lot of value it's bringing, and some of the interesting things it brings. You've been involved with designing the whole thing from the beginning. How about the things that didn't go as planned? Do you have one example of something that you designed in a way and then it didn't go like that, then it changed dramatically? Any stories about that, things that didn't go as planned, and either a new version of the model didn't incorporate it or changed it or just dropped or something like that?
Diana: I think Robin alluded to it in the beginning actually. When I came in, there had already been several iterations, I think, of going in this direction, trying to make security everyone's responsibility. The first iteration that we saw was too complex. We actually did the assessment first and gave people the details so you can say, "These are all the areas that you need to work on." It was quite detailed and it was quite comprehensive.
If you could get through it, you'd feel quite confident that you had well covered but it was very detailed and that was too much for people.
That was too much in terms as it looked like. It was difficult. It made it look more complex. What we were trying to do is the opposite. Ultimately, we realized that we had to shift the way that we were presenting information to people so that they could see immediately how it connected to what they already knew. By starting with the assessment first, which was quite detailed, that was-- Yes, that didn't go down so well. We're confident in the content but people couldn't use it on their own.
Lisa: I think another thing that, for a short time, I found really interesting is, with that comprehensive, really broken down, things to measure approach, there was a bit of a moment, I think, where we thought, "We give that to our business leadership or regional governance and they will be happily evaluating the maturity and then we have their perspective on it." I think it turned out what worked much better was to start with a view and say, "This is how the security person in your region looks at this," and that was empowering.
Because that led to conversations about where there's different perspectives from different stakeholders and say, "I don't really understand how you get into this because I also see these other things." Then that way, it really drove a better conversation and integration of the perspectives other than say, "Look, here's a way to do it. Please go and do it because we really want you to evaluate [chuckles] the security maturity in your context." I find that really interesting because it still led to that collaboration. It just didn't start there as much as we maybe thought naively in the beginning it would.
Alexey: That's an interesting point, Lisa. I remember that from the other perspective of being in a business unit. The open question of, "How is security going in your country?" is much harder to answer than, "Hey. This is what we're seeing. Let's talk about that." "No, wait. Why is this so low?" And, "Hey, I didn't expect this to be great. What are we doing with respect to that? Let's talk about the things that we can do."
It was a very productive conversation because we had a place to start from and it was interesting because it became-- I think it turned the conversation into less philosophical, "Oh, what is it that we're doing? Where are we at?" Then, "What can we do about it?" Then, "Why? What are the factors driving this?" and those kinds of things. Now that you mentioned it, I realize it was very interesting conversation and much more productive because it was framed that way.
Robin: One thing that wasn't a failure but we didn't predict was the way that the business units adopted the model into their ways of working. We had anticipated that people would dutifully complete the assessment, discuss what were the right things to work on over the next couple of months, and decide on an approach to improving that, and then come back and measure in a couple of months and start the whole cycle again. We had a pretty rigid idea of what that would look like but we're not prescriptive in saying, "Thou shall do it this way."
Some regions took a very different approach, which was a much more collaborative workshop partnership approach, where it was in conversation between the business leader and a security team about what their backlog should look like. They weren't following the spreadsheet approach so much. That actually led to us being able to make the approach a bit more flexible.
Alexey: Where does it go from here? I'd love to hear from you, what do you think? How do you see the model evolving? How do you feel it can be useful to the broader industry? And maybe advice you would give to people looking for improving their security maturity and initiatives for governing them.
Robin: Oh, I've spoken about the model with a few different clients before. If you are looking for a way to improve security culture, trying to figure out what you would need to do to support that and developing a model based on that is an approach that worked for us and I think it could work in lots of different places. We're going to publish the high-level view of our models, so that can be a starting point for others, although the dimensions will be different depending on the organization you are.
Where people slip up is they think it's a replacement for the cybersecurity controls framework. It doesn't tell you what to build from it from a technical point of view. It is very much about making progress from a cultural point of view. I think as long as you come into it with that perspective, it's something that can be adopted much more broadly. Then I have seen people use a similar model for assessing their own business unit elsewhere but it's quite a new thing. I haven't seen many other people doing this.
Diana: I would add to what Robin is saying is that the model is definitely a starting point and there is some argument to develop your own but I think, as he said, starting with this one as an example is great. There's a real power in saying, "What is the most important aspects of security for my particular organization?" Wherever that is. It means that you have to do that collaboratively because you need to have different perspectives to come up with it. There's real power in coming up with the maturity model yourself.
I think it's good to look at the ones that we've come up with, but obviously, we are, also which is a large consulting company and businesses at very different contexts. I think it can also work for a team or a department, as well as an organization. I think it can work on any level. You can either take a [00:36:06] perspective of building your own and I think using a socio-technical approach. Think about the psychology of people, what conversations they have, what decisions they need to make, and the business context, as well as what we're asking them to do from the security point of view in Thoughtworks.
You might want to choose the right language that's going to work for your organization as well. I think from there on, you also want to have that continuing conversation. That doesn't just stop at the model. The model can, and will evolve, and hopefully, the conversations will also evolve between the different groups so that the security is seen as an integral part of business. Business is also the important concern from security teams as well.
Lisa: I would add the ever-increasing visibility or relevance of the threat landscape around most organizations that employ technology is something that no business leader cannot think about. I think we'll only see more about that. I think that will drive even more than it has in the past. The question of, how do we empower more of the organization outside of a centralized team of experts frantically trying to protect the organization in all its places when you're thinking about the remoteness of how work happens today? COVID has been driving this a lot, obviously, but in all kinds of shapes and forms, it's just not a viable future option, I think, by itself.
That doesn't mean that it doesn't also have to evolve but we also have to find these other ways of bringing the message and the empowerment and clarity on what to do about it and what a leverage that everybody has in their specific roles. That I think starts with leadership and it doesn't end there. That is going to be a question that we'll have to put a lot more effort in this like the security specialist, but also obviously, all the rest of business leadership around it. This, I think the model that we're using is just the starting point to thinking about this as many other ways to do that.
I would love for all of us in the industry to start talking more openly about the things that are not working and that's a particularly difficult area in security. We see a lot of regulators driving that direction. Luckily, I think that's going to help us all in some shape or form but also our culture on making sure that it's okay to talk about things that are not working without that meaning that you fail to protect your business or whatever has been entrusted to you. Seeing it as an opportunity to improve continuously and actually get what we all need to get, that is something that I would hope to get to. I think a model like this is a starting point to have that conversation with a broader group of people with a wider remit of perspectives. I think that's where we will be going or where the industry will have to go.
Alexey: Wonderful. It makes a lot of sense. All right. I guess this brings us to the end of the episode. It was a great conversation. I really enjoyed it and a privilege to have you all with us. Thank you so much for joining.
Robin: Thanks for having us.
Lisa: Thank you. Thanks, Alexey.
Diana: Thanks, Alexey.