Maturity models are helpful frameworks that outline the stages organizations progress through as they improve their security systems and protocols, but it can sometimes be an arduous journey from the lowest levels of maturity to the highest. If we reflect on early frameworks like the Capability Maturity Model (CMM) – developed in the mid 1980’s to assess software development and later adapted for various disciplines, including cybersecurity – reaching peak maturity was an immense challenge at the time. However, the recently updated Zero Trust Maturity Model (ZTMM) released by the Cybersecurity and Infrastructure Security Agency (CISA) lays out a more achievable roadmap for government agencies that are required to transition to zero trust architecture.
While the guidelines are directed at federal agencies, they are a valuable resource for all industries, particularly financial services – another favored target for cyber adversaries. The model is structured around five core pillars: identity, devices, networks, applications and workloads, and data. For each of these pillars, organizations will fall within four stages of maturity, from “traditional” to “optimal.”
CISA developed the ZTMM 2.0 as a strategy to counter cyberthreats by evaluating the most common types of attacks the government has faced over the last decade, but it’s crucial to note that threat actors are using the exact same tactics to breach organizations outside of government too. Organizations in financial services and other sectors can benefit from following CISA’s guidelines regardless of whether they’re mandated to comply with ZTMM today or not. After all, it is likely only a matter of time before all or key elements of ZTMM become required by regulators across financial service sectors. With cyberattacks on the rise, free hacking toolkits, specialized Hacking-as-a-Service offerings, and technologies like AI at hackers’ fingertips, zero-trust architecture will be table stakes for all organizations soon.
AI ML News: Next-Generation Ericsson RAN Compute Breaks Ground in Network Processing Power
There is a high degree of urgency around zero trust today, especially when it comes to the first two pillars of the ZTMM – identity and devices. Research shows reusing stolen credentials and phishing remain the primary ways attackers access an organization to deploy ransomware, steal data, and access customer accounts. An increasing number of hackers are exploiting passwords and bypassing weak “legacy” multi-factor authentication (MFA), so strengthening an organization’s identity and device pillars right off the bat can make a substantial risk reduction difference.
While MFA is becoming a standard security requirement, especially in financial services, not all MFAs are created equal. Given the current state of cybercrime, weak MFA is easily circumvented, so phishing-resistant authentication and strong device security can go a long way toward protecting sensitive data. In fact, federal agencies were given only two years to implement phishing-resistant MFA for all internal systems, and to add a phish-resistant option to external systems. Due to the scale of external systems, there was more flexibility since it would take some time to fully convert all the citizens using these systems to an upgraded authentication method.
There is too much risk to move gradually through the stages proposed in ZTMM 2.0. By initially focusing cybersecurity efforts on securing the identity and device columns, organizations will obtain the greatest ROI and protection against heightened risks.
[To share your insights with us, please write to sghosh@martechseries.com]
Comments are closed.