Nothing you may think? Or maybe it’s everything? How about “mindset” and “approach”?
I am painfully aware of how often organizations want to do (or say) they are agile vs. being agile.
I believe the cybersecurity maturity called for in the Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC) standard is similar to the issue of doing vs. being agile. Way too many government contractors and even vendors in the ecosystem are focused on achieving compliance vs. developing the maturity required by the standard. They want the silver bullet to demonstrate compliance overnight vs. putting in the work to develop a culture and mindset of security that will have a better long-term impact.
There’s an old joke that asks “How do you eat an elephant?” And the answer is “One bite at a time”.
I utilize an iterative and incremental agile approach to institute security practices that are well understood. This makes it easier to follow consistently. I believe this approach is key to addressing the issue of achieving cybersecurity maturity and building a culture of cyber security awareness for an entire organization.
