The Hierarchy of Security Needs

Sociologist Abraham Maslow popularized the idea that human needs form a pyramid. For those unfamiliar, his model begins with basic physiological requirements (e.g. food, water, shelter, etc.) at the bottom, and rises progressively through safety, love and belonging, self-esteem and, ultimately, self-actualization at the top.

According to this theory, a person cannot ‘level-up’ to the next category until they’ve satisfied the requirements of the previous level. For example, it will be impossible for someone to pursue financial stability or look for housing in a crime-free neighbourhood if they don’t know where their next meal will come from.

Maslow’ Pyramid, it turns out, also happens to be a great analogy for how a business can build the framework for an effective cyber security program – at least on a basic level.

From Technology to Strategy

Consider that every cyber security strategy requires three different emphasis areas.

Technology concentrates on the software and hardware a business uses to operate, along with the software and hardware the cyber security team utilizes to protect against potential threats.

Operations comprises the people, policies, training and communications initiatives which flow through the organization.

And strategy includes the vision, goals and initiatives dictated by business leaders to protect the organization from historical, existing and emerging cyber security threats.

These emphases exist on a continuum, with each subsequent focus becoming increasingly important as the cyber security program evolves. For example, a technology focus is an important part of the process – especially in the initial stages – but it’s easy to get stuck here. Many companies will benefit from recognizing when they’re “good enough” at one level, so they can shift their attention (and investment) to moving up to the next level.

Let’s walk through the levels one at a time.

Critical Security Controls

Specific, practical and actionable, this 20-part framework outlines clear instructions IT professionals can follow to protect their technology and network infrastructure from potential threats. 

Compliance

Various regulatory and certification bodies publish broadly accepted (and generally expected) compliance standards which – when met – ensure competency in information security.

Risk Management

Shifting from broad security concerns to more specific industry or organizational concerns, this level begins to evaluate what a business specifically wants to get out of their cyber security initiatives. Questions around budgeting and specific investments begin to emerge.

Maturity

An evolution of the previous step, this focuses on tying cyber security practices to specific business objectives (e.g. paying payroll on time, protecting proprietary information, etc.) as well as targeting budget dollars to continuous cyber security improvements.

Governance

Ultimately the business’ cyber security strategy will fold seamlessly into its overall strategic plan. This questions how various aspects of the company’s mission, vision and goals will cause cyber security exposure and how the cyber security program can support the business in achieving short- and long-term objectives.

Finding A Place to Start

Like people, every organization will be at various places on the cyber security pyramid. That’s expected and that’s okay.

The key takeaway here is to take an objective view and accept where the business is at. This may be a simplified approach, but it can be helpful to gain an understanding of the technological, operational and strategic requirements to build an effective and sustainable cyber security program. 

NOTE: For those who are familiar with Capability Maturity Models, the hierarchy is not meant to replace or compete with such approaches. This is another – highly generalized – way to visualize how organizational cyber security will evolve over time.

To learn more about how MNP can help you build an effective cyber security strategy, contact Jason Murray at 647.333.6241 or [email protected].