“IT and security leaders are often considered the ultimate authorities for protecting the enterprise from threats [...] Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organization’s security.” Gartner, Nov 2021
Modern digital businesses are most effective when they make decisions in a decentralized manner that’s fully focused on customer value creation and incremental improvements. In contrast, traditional security frameworks often focus on centralized control; their implementation requires heavy involvement of a small team of security experts. This can lead to "checkbox security".
At Thoughtworks, we leverage a business security maturity model framework to equip leaders of Demand, Supply and Delivery functions across all of Thoughtworks' 18 country entities with an actionable mental model for security. This increases their confidence in driving security improvements as a business concern and in leveraging the expertise of security professionals to address business risk.
Our approach to developing the model was human-centered. We paired security specialists and user experience designers to co-design the model, conducting 36 research sessions across seven countries and internal operation functions. We discovered what we really needed through this research: an approach complementary to traditional security frameworks that enables businesses to prioritize security.
The model is being used to increase the visibility of security risks, emphasize the importance of governance and to focus security investments in line with local market needs in all 18 countries. It answers questions such as:
- How effective is our security governance?
- How well are we managing risks and mitigations across client projects?
- How reliably are we learning about and from security events, to prevent them from impacting our own and our clients’ business?
- Are we investing in the right capabilities to ensure we can continue to build secure software solutions in the face of new industry trends?
Embracing security as a value driver
While “security is everyone's responsibility” a lot of organizations struggle to truly embrace security as a value driver. Relying on a corporate security team alone presents a significant risk for businesses and moves the discussion about security too far from business context.
At Thoughtworks, existing security frameworks did not provide us with the right level of abstraction to drive security concerns and opportunities into core business strategy. They instead led to a tendency of framing security as a specialist technical concern.
Thoughtworks' business security maturity model and continuous improvement framework focuses the discussion about security on business value where traditional maturity models focus on controls. Business decision makers are provided with a framework to evaluate and steer security priorities as key aspects of:
- Customer value creation
- An outcome-aligned organization
- Responsiveness to market shifts
- A “test and learn” culture for security as an organizational objective
- The responsible use of information assets
- Business structure and governance
What's in the model
Through our research we identified the key dimensions for operating a country entity with security built in:
- Build relationships between security professionals and business decision makers
- Adapt governance and reporting of security risk, events, maturity and metrics
- Security event management and proactive improvement
- Security Community and Security Champions programs
- Leader activation to embed a security mindset into their areas of responsibility
- Secure software delivery practices and shift security left
- Data handling for sensitive and regulated information
- Security capability building
- Security and technology risk management
- Security communications and reporting – visibility to everyone
Dimensions are defined with measurable requirements for five maturity levels, inspired by industry renowned models like CMMI.
- Each maturity level is defined by three to four requirements per dimension
- All requirements must be met to qualify for the respective level
- The model qualifies maturity with 142 unique requirements
Regular assessments are used to monitor maturity, evolve the model and define targets and initiatives with key stakeholders.
The adaptiveness of the model follows from a fundamental design principle. It allows for consistency across the business without being prescriptive. Its strength lies in facilitating collaboration between security specialists, decision makers and subject matter experts who deeply understand the business context and processes.
Today, business security officers across all of Thoughtworks’ countries use the framework to increase the impact of their expertise, building the bridge between the CISO, the corporate security team and the country's business.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.