Building on concepts identified in the IIC Industrial Internet Security Framework, the Security Maturity Model (SMM) defines levels of security maturity for a company to achieve based on its security goals and objectives as well as its appetite for risk. This enables decision makers to invest in only those security mechanisms that meet their specific requirements.
“The Internet of Things has brought a lot of innovation to industries, but it also introduces new security threats. The security landscape is complex and always changing,” said Ron Zahavi, IIC Security Applicability group co-chair, the white paper Co-Author and Chief Strategist for Azure IoT Standards at Microsoft. “It can be challenging for organizations to understand where to focus their security budgets, especially with limited resources. The Security Maturity Model provides organizations with an informed understanding of security practices and mechanisms applicable to their industry and scope of their IoT solution.”
Organizations apply the SMM by following a process. First, business stakeholders define security goals and objectives, which are tied to risks. Technical teams within the organization, or third-party assessment vendors, then map these objectives into tangible security techniques and capabilities and identify an appropriate security maturity level. Following this, organizations develop a security maturity target, which includes industry and system-specific considerations, and capture the current security maturity state of the system.
“By periodically comparing target and current states, organizations can identify where they should make improvements,” said Sandy Carielli, white paper Co-Author and Director of Security Technologies at Entrust Datacard. “Organizations achieve a mature system security state by making continued security assessments and improvements over time. They can repeat the cycle to maintain the appropriate security target as their threat landscape changes.”