The Cyber Maturity Journey

DRAFT for Comment – Not Policy until approved.

When we first looked at this as a pure Cyber Maturity Modelling exercise, it was a perceived to be a move through the traditional maturity modelling approach. However, when we further explored the problem and what we were being asked to do, it became clear it was actually about mapping out pathways to a destination which was an agreed level of Cyber Maturity.

This journey then is not necessarily linear in a straight line, but more about different pathways and routes with waypoints and bridges to the same destination. For some the journey will be short for others long. There is also the issue of budget and resource, whether you are walking, hitch hiking, taking public transport or being chauffeur driven.

The language of a journey, pathways, and routes, mean that in some cases an organisation may be mature and experienced, further along the pathway while others have barely started out. The length of the journey and some of the route and maybe the transport method will be determined by the relevant profiles discussed later. Part of the journey maybe common to all provided by free public transport in the vestige of taking up and deploying the NCSC Active Cyber Defence programme resources that are free to consume. The last part of the journey for some may be into uncharted territory on foot, of a regional Shared Cyber Operations Centre for instance.

The original thought was a Cyber Maturity Model, however the tasking is to consider the Cyber maturity pathways, to define a journey towards having Cyber especially the defence and resilience aspects fully optimised in the organisation. If we take the journey analogy forwards, the quote from Alice in Wonderland seems apt.

"If you don't know where you're going, any road will take you there." This oft-cited but not-quite-accurate quote is from the Lewis Carroll's classic children's tale, Alice in Wonderland.[1] What’s required at each level? - Why are we doing this in the first place? (The Shared Cyber Doctrine)[2];

To keep the organisations information safe, secure, accurate and available. This is the overarching strategy, that supports a higher shared UK doctrine, the real “Why & How”, things like protecting our freedoms and democracy, keeping the UK safe from Cyber Attacks so that it is a good place to live and transact business using Cyber to do so. This UK Cyber Doctrine, then translates into the UK defence and UK Cyber Strategy, which underpins the entire approach for how we do things.

It is suggested to start with a baseline, a checklist approach for expediency, then the initial findings are baselined and the next steps and gaps can be identified, along with acknowledging good practice that’s already in place.

Deploying through life measures, through the metaphor of a journey, so the language, approach and idiom must use the language of dynamic risk and movement. Language can influence communications immensely, which is the basis of NLP (Neuro Linguistic Programming) [3].

The use of Weak Signals [4] , to pick out the threads of improvement already exist and can be built up, will ensure goal based momentum to the initiative. The use of Nudge [5] to shape all training, education and awareness raising to highlight the good things that exist and then to highlight and clearly focus and re-enforce constantly the areas that need additional work. Nudge is all about constant almost subliminal communication, using briefings, messaging, incorporation into routine communications and social media. We could think of this as a broad-spectrum holistic approach, taking every opportunity. A Rich Picture [6] can help articulate the vision in a visual way. A Wardley Map [7] can help to capture the key steps and stages. Defining the needs and outcomes in terms of a Wicked Problem [8] and Soft systems methodologies and also help [9]. The whole point being this is really a transformational change journey, needing alternative pathways, depending on need. Having these pathways clearly articulated before engagement, then facilitates a predefined set of options that a practitioner can then analyse and apply as appropriate.

Keeping with the journey analogy, the destination is mapped, however it may be necessary to complete some waypoint journeys along the way, these diversions, from the main path will ensure consistency. There is a very famous saying I like from NLP, “The Map is not the Territory” [10]. Using metaphor, stories and parables enables communication of quite poignant technical issues in a simple understandable way. 90% of communication is about knowing the audience and adapting the same massaging to a diverse audience.

“Profiles Principles, Pillars and Pathways”

Profiles

One size does not fit all. UK Councils vary in size and remit. Their common traits are that they administer their locality and are sovereign democratic entities by statue. Their size, systems and services can be quite different. There are other causal variables as well, their political direction, whether they have outsourced their ICT services etc. Therefore, we need several agreed profiles. The Cyber journey through to the destination must be achievable by all organisations regardless of type and size. Appropriateness of the wording of the expectations to realise the required effects are the key.

Principles

The principles detail the outcomes the “Effects” required. The use of “Effects” is a particular phrase that resonates in the Resilience, Cyber and Military world, for instance if COBR/A requires an action to take place, during an emergency or crisis, they will not be prescriptive how it is done, they will however articulate “Required effect” [11] this is the required outcome.

This in turn is a parallel to the articulation of principles, which themselves are stating the actual problem to be solved with a hint (nudge) towards the outcome and how to achieve it. In agile, we use “User Stories”, this too would work well in this part of the journey. Using the previously referenced P3T (Personnel, Physical, Procedural & Technical) approach, which we have updated to a “P4T Model ©” to now include Profiles, which enables organisation specific approaches, according to the type and size of organisation. The Personnel aspect here would be behavioural, I refer to it as “Behaviour Shaping”, that ultimately, the effect we are trying to achieve.

P4T (C)2020/21

• Personnel

• Physical

• Profiles

• Procedures

• Technical

Pillars

The Pillars are the cyber domains, sometimes referred to as the Underpinning Cyber Aspects (UCA’s) which are detailed below. In articulating to an organisation what good looks like, the UCA’s present several areas and aspects that are tangible and can be measured. This means they can be based-lined and then reported on. This compliance approach would utilise a phrase well known in Local Government Audit, that of Key lines of Enquiry (KLOEs). The pillars support the entire eco system model. They are the supports that hold up the building above (Think of a tower block, the underground car part always has the supporting pillars, holding up the structure above. The building in this case is the network, the systems, services, and data that underpin the organisation and the business. Never forget the overarching objective of all of this is the protection, integrity, and availability of the organisation’s information.

Pathways

The pathways are the route plans for each of the UCAs, The WHAT we need to achieve (The effect), and the HOW we get there. Think of them as a branch line off a main rail link. With a set of points at certain waypoints. The question at that point is “Does the desired effect at the appropriate level for this part of the journey exist? Yes or No”, if “yes” continue on the main pathway forward, if “No”, then switch to the branch line, carry out the required actions to complete that waypoint and return to the main line to continue. This then becomes an iterative continuous improvement process.

Levelling Up

C-TAG were using the phrase an approach recently coined in mainstream politics of “Levelling up” back in the Summer, so we will continue to talk about levelling up., as it describes the effect we want. Levelling up in this context is not having to “Assume” that every Council in the UK is at a certain level of Cyber Maturity on a certain point on the Cyber Resilience Journey, we need to safely “Expect” that is the case. We’ve already discussed and descoped the idea of a level zero “Unknown status, not engaged and unable to contact the organisation to find out”. This means we expect all Councils have made some progress towards Cyber Resilience and the immediate expectation of a baseline starting point is clearly articulated.

Using the Underpinning Cyber Aspects C-TAG and NCSC need to agree what level one looks like. This may be through the work of the LGA Cyber Programme or the combined efforts of the Department of Levelling up, Communities & Housing (DLUCH) along with the Devolved Administrations.

Level or step one, must be a unified agreed and accepted minimum baseline across the UK. Level one will be predicated on statutory and legal requirements such as the Data Protection Act, which cannot be argued against and therefore the “Checklist” will be a baseline that is reasonable to expect any organisation to have in place and at no additional cost. The Roles and responsibilities are a statement of roles being in place that is someone carrying out the function. The NCSC Active Cyber Defence systems and services are available for all UK Local Authorities to consume at no cost, so that is reasonable to expect etc.

The subsequent stages on the journey can be subject to agreement and debate. By the time we are discussing the destination it will require an articulation of what good looks like and a mixture of case studies exemplars, tools, and approaches to agree those principle led effects.

Learning Organisations and Continuous improvement

The last thing we want to do is create a new set of burdens for any organisation. This approach is about being a Learning Organisation [xxx], using proven methodologies such as double loop-learning [xx] which fosters a culture of continuous improvement. Once the momentum is there especially through peer support afforded by the WARPs and C-TAG it becomes easier as the successes and failures are shared with peers in a safe place afforded by the WARPs and C-TAG. Where there are obvious wide gaps identified within specific or general profiles, additional workshops, tools, templates, and good practice sharing can be facilitated. We are familiar with the 1-9-90 social collaboration model [xx] mentioned before, the WARPs especially foster this approach where the WARP is led by a Subject Matter Expert who acts as a trusted catalyst to bring learning and advisory to the group. The group then owns and adapts that learning and the suggested approaches into their own organisations. As far back as the 90’s there were the European Quality Assurance Framework (EQAF) model [12] and the McKinsey MIT 90’s model [13] both of which helped shape collaboration and learning. This was picked up by Osbourne and Gaebler [14] in their work on re-inventing Government and subsequent research undertaken by the author [15] which provided some of the original catalyst ideas that helped form the original WARP services in 2004/5. The work of Senge and his book the Fifth Discipline and its workbook [16] also helped shape a lot of these innovations and the approach discussed by Tom Peters around organisations and innovation “In Search of Excellence” [17]. The LGA has always proposed peer support as a catalyst to service improvements. The introduction of profiles, will help shape what success looks like and set acceptable expectations.

The main thing to get right is what we call each of these labels. The idea of something like “initial” or “Preparing” for stage/level/way point one. The first label needs to reflect the start of the journey. The destination itself, needs to intermate, both arrival at the destination and the continuance of the journey as one thing we know about Cyber is that it’s evolving, dynamic and continuous. Attacks, subversion, and threats are going nowhere.

Cyber Attacks and disruptions, will be a constant moving forward and are likely to increase as the global players realise Cyber Offensive campaigns are highly effective and likely are good value for money, with the real costs of Cyber coming from the Defensive side.

Preparing / Preventing / Progressing / Protecting / Progressive

The above is a throw away thought, not even a suggestion. We need each stage point to have a good narrative to explain that way point. The hard work starts on populating the staps and stages with the Underpinning Cyber Aspects (UCAs). Some of the way points will be hard stops. For instance, you can’t go beyond stage/level/point three, until you’ve all NCSC ACD products and Services in place and progression beyond four requires you have an active trained internal Cyber Coordination Cell to support the LRF CTAC etc.

The need for an Integrated Approach

There is a lot of conflation between Risk Management, Information Security, Information Assurance, and Incident Response. This is where the profiles will come in useful, to shape the different UCAs.

These issues are well documented and well understood. We do not need another maturity model, framework or standard, but a way in which we can match stakeholder engagement and take-up of the various Cyber Programmes and initiatives. Where there are gaps, the journey approach will be able to signpost relevant materials, templates and guidance to help the organisation move forward.

The use of Profiles to provide a meaningful set of metrics, will be useful for strategic decision support in knowing which organisations have a well-developed understanding of Cyber Security according to their appropriate profile.

Having a UK wide Local Authority view will help shape investment and more importantly where gaps exist requiring interventions.

At all levels, we propose a set of profiles, reflecting needs, experience, and knowledge in the people as much as the technology. (In no particular order of precedence);

• Members (Councillors) – The Board in a private organisation

• Senior Management, Corporate Management Team

• Services Consumers [Users in old money]

• Suppliers – supply chain elements.

• Security / ICT Practitioners within the organisation

• Service Managers the SIRO & Information Asset Owners

We must include suppliers and Councillors, especially for the higher maturity tiers as they must be informed and aware.

Services users & suppliers, practitioners & Service Managers (Information Asset Owners) ,

Senior Management (SIRO) and the Corporate Management Team and the Councils Members (Councillors). We must include suppliers and Councillors, especially for the higher maturity tiers as they must be informed and aware. The RACI approach [18], is also useful for analysing the internal communications and posture of Organisations.

For each of the waypoints we propose a set of metrics and measurements that can be clearly articulated across the RACI domains (responsible, accountable, consulted, informed). We also recommend pseudo-anonymisation of organisation details and names, with appropriate NCSC facilitates FOI exemption for this information.

Each of the five levels can have a RAG Status as an organisation could be green at level 3 say but be amber at elements of 5 & 5, therefore an improvement plan is possible.

The Underpinning Cyber Aspects (UCAs) – (Subject to agreement and alteration.)

• Engagement / communications status

• Take up of ACD

• Member of NCSC CISP

• Member of Regional WARP

• Active in C-TAG/ Local CIO Council / Local Delivery Council

• Have a Cyber email address?

• Good Web/email Security

• Good Back UP strategy (Which has been tested!!)

• Cyber Essentials / PSN Compliance

• Following Data Handling guidelines

• Named SIRO / IAOs

• Corporate Information Governance Group meets.

• Suppliers are assessed (Cloud Principles) and aware of their responsibilities

• Regular Cyber Exercising

• Regular vulnerability Scanning

• Written and articulated Risk Appetite Statement • Information Risks part of Corporate Risk Register.

• OWASP Framework used to protect Website.

• MITRE ATT&CK framework used for Risk Analysis ./ network defence.

• Contributions to National Policy etc.

Next Steps

1)The next stage is to agree the Cyber Underpinning Aspects (CUAs) and then defining them with a narrative against step/stages or waypoints 1-5 (zero having been excluded from the conversation, so zero is also one). Define the differences in the profiles (District/Unitary/County Council, Shared Service Partnership, Insourced/outsourced ICT etc.

2)Define a set of profile appropriate user stories or personas, so that the attainment statements are clear and measurable with either assertions (that can be evidenced) or through monitorable artefacts (ACD Take-up, email posture web site security / digital certificates etc). OWASP….

3) Refine the Draft spreadsheet Matrix of levels and CUAs with Narrative and then adapt the matrix for each profile.

4) Agree the labels for the level and the language to be used.

5) Undertake a pilot with the initial artefacts and journey map.

References:

[1] Alice in Wonderland: https://eric.ed.gov/?id=EJ997652

[2] Joint Doctrine https://www.gov.uk/government/collections/joint-doctrine-publicationjdp

[3] NLP https://www.nlpacademy.co.uk/what_is_nlp/

[4] Weak Signals https://sloanreview.mit.edu/article/how-to-make-sense-of-weak-signals/

[5] Nudge https://www.imperial.ac.uk/nudgeomics/about/what-is-nudge-theory/

[6] Rich Picture http://systems.open.ac.uk/materials/T552/pages/rich/richAppendix.html

[7] Wardley Maps https://learnwardleymapping.com

[8] Wicked Problem https://www.stonybrook.edu/commcms/wicked-problem/about/Whatis-a-wicked-problem

[9] Soft systems methodology

https://www.open.edu/openlearn/ocw/mod/oucontent/view.php?id=65641&section=6

[10] Map is not the Territory https://conceptually.org/concepts/the-map-is-not-theterritory

[11]COBR/A Effects

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_ data/file/192425/CONOPs_incl_revised_chapter_24_Apr-13.pdf

[12] EQAF

https://eua.eu/component/attachments/attachments.html?task=attachment&id=1746

[13] MIT 90s Model https://www.mckinsey.com/business-functions/people-andorganizational-performance/our-insights/the-organization-of-the-90s

[14] Reinventing government https://files.eric.ed.gov/fulltext/ED367424.pdf

[15] MBrett MRes (1999)

https://www.researchgate.net/publication/268517871_User_Led_Innovation_in_Local_Gov ernment_Service_Delivery_September_1999

[16] Senge (Fifth Discipline) https://mitsloan.mit.edu/faculty/directory/peter-m-senge

[17] Tom Peters In Search Of Excellence & Agile

https://blog.crossknowledge.com/excellence-according-to-tom-peters/

[18] RACI https://www.cio.com/article/2395825/project-management-how-to-design-asuccessful-raci-project-plan.html