Is wishful the new default cybersecurity level for small companies?

If you look at a standard maturity index for processes (such as COBIT or ITIL), they propose five level:

• Initial
• Repeatable
• Defined
• Managed (and measurable)
• Optimized

With a sixth one being implied (non existent), and on the NIST side we have the Five Functions:

• Identify
• Protect
• Detect
• Respond
• Recover

Although these make perfect sense for a practitioner, I feel they imply way too much positivist on the lower levels. I would position that in today’s world if you are not able to Detect problems and have not a measurable way to make sure it is working and improving, you are just being wishful that you are defending yourself properly.

So here is my proposal to simplify these models with clear language that a non practitioner would understand quickly, I propose the simple following four levels:

• Delusional: here we group all of these: no tools or wrong tools with no processes or monitoring and no clue what they need to protect. 
• Wishful: some tools (or the right tools!), but no oversight, process and monitoring (basically “fire and forget”), with some concept of what they need to protect (Initial/Protect as per above)
• Conscious: some tools with oversight, process and monitoring and a rough idea of what to do in case of an Cybersecurity Incident (Managed/Respond)
• Awesome: the right tools with oversight, process, monitoring and tested response plans (and competent people to review, improve and take actions) (Optimized/Recover)

I would position that many companies today fall into the “Wishful” category: they have deployed some tools and sometimes all the right tools, but are not investing enough in processes and monitoring. They feel that because they have the right tools they are protected. Unfortunately, until they get to the “Conscious” level, they have no way to know if that’s true, or since this is about the fast moving world of technology, they have no way to know if the “right tools” they deployed previously are still the right tools for now. 

On a side note, if you handle customer data (especially anything that falls into “Personal Information”, financial information and/or Credit Card information), awesome is the only acceptable level; you are being entrusted with that data and if you do not demonstrate your are doing what’s needs to be done it’s only a matter of time before you have an issue that will drive your customers away.