Promoting Global Cyber Resilience for Sectors and Society Cyber Capability Maturity Model (PROGRESS CCMM)
The Regional Cyber Resilience Lab at Tel Aviv University is the leading global provider of comprehensive sectoral cyber resilience advisory and digital transformation services.
Resilience to cyber shocks is crucial for harnessing the advantages of digital transformation. Sectors operate vital services and critical infrastructure, while society relies on infrastructure and services that go beyond the capacity of any single organization.
Tel Aviv University (TAU) has developed the 'Promoting Global Cyber Resilience for Sectors and Society Cyber Capability Maturity Model (PROGRESS CCMM)' to promote cyber resilience and support international development and capacity building. The introduction of PROGRESS CCMM is available here.
The cutting edge of the PROGRESS CCMM is in its sector focus to improve overall sector-level cyber capabilities rather than individual regulator or stakeholder objectives.
The shift from organizational-level cybersecurity to sector-wide cyber resilience enables the identification of key systematic sector cybersecurity issues and the development of finetuned solutions to strengthen sector resilience.
How We Do It
We break down a sector into sub-components, assess their capacity and maturity, and suggest ways to optimize overall sector performance. This involves improving individual stakeholder capabilities and enhancing cooperation among stakeholders to leverage their collective capacity as a joint sector mechanism.
Benefits / Why PROGRESS?
The PROGRESS model formulates individually designed sector recommendations that prioritize efficient actions to bridge capability gaps in people, processes, and technology. We identify activities that can be arranged into a roadmap with prioritized actionable steps.
The PROGRESS methodology is unique as a sector instrument as it:
- Bridges the gap between national and enterprise levels.
- Provides a sector-specific roadmap to enhance cyber resilience.
- Prioritizes forward-looking cyber resilience indicators.
- Offers effective and cost-efficient ways to capture a sector view.
- Applicable to sectors that stretch across national borders.
- Addresses supply chain and third-party risks.
- Verified track record.
- Incorporating suppliers, human capital, regulators, and national-level capabilities enhances feasibility and effectiveness.
- Performing a sectoral assessment brings together diverse stakeholders and fosters communication, cooperation, and improved resilience objectives.
- PROGRESS model recommendations address capabilities, roles, and responsibilities across all four dimensions of operation.
- Provides a more detailed assessment compared to other models (20 capability maturity levels).
- Fills the gap between national-level and enterprise-level models, incorporating previous assessments and accepting inevitable disruptions. Moreover, PROGRESS CCMM incorporates the results of prior assessments, such as the Oxford Cybersecurity Capacity Maturity Model for Nations or enterprise-level models.
The model assumes and accepts the inevitable disruptions that will degrade performance, service delivery, and even the collapse of some constituents of the sector.
The PROGRESS CCMM assessment generates 20 capability maturity levels, highlighting specific areas of vulnerability and providing suggestions for improvement. The model covers forty-six topics across multiple dimensions of operations.
Unlike other models and given the aim of the final report as the result of an advisory engagement to outline specific recommendations for improvements to be done in the sector, this maturity model does not seek a single grade or ranking but rather underscores specific areas of potential vulnerability, reasons the risks and suggests ways for improvement.
The PROGRESS methodology includes forty-six topics, each appearing in several dimensions of operations (DO).
The PROGRESS Cyber-Capability Maturity Model Innovation
Resilience to cyber shocks and threats is vital for reaping the benefits of digital transformation. The PROGRESS CCMM takes a comprehensive approach to cybersecurity, considering all stakeholders within an economic sector. It integrates individual organizations and their interactions, enabling targeted recommendations and efficient resource allocation.
The PROGRESS model offers sharp and focused recommendations that are:
- Service-specific, focusing on required capabilities in sectors like power, financial services, and healthcare.
- Based on diagnostics of current capabilities and performance dimensions.
- Incorporating non-technical aspects and supply chain considerations.
- Incorporating external capabilities and collaboration with state agencies.
The PROGRESS model analyzes sectors in four dimensions of operations to provide clarity and transparency.
Dimensions of Operations
To illustrate the dimensions in practice let’s have a look at such a critical infrastructure sector as electricity. This sector in turn includes generation, transformation, transmission, and distribution subsectors.
|
Description |
Example |
|
Dimension 1 – Key Entities |
|
| Typically, large organizations and their capabilities are analyzed. | In the power sector, this includes power generation, transmission, and distribution facilities operated by monopolies in the industry and country. |
|
Dimension 2 – Sectoral Supervisors |
|
| Analysis of regulators and regulations in the industry, including interactions with key entities and other stakeholders. | This may involve the Ministry of Energy or other electric authorities, as well as additional regulators like environmental protection organizations. |
|
Dimension 3 – IT & OT Supply Chain |
|
| Examination of smaller players in the sector such as service providers, suppliers, and other elements in the supply chain. | For the power sector, this includes fuel suppliers, providers of critical goods, vendors of professional services and power generation equipment, and security and monitoring organizations. |
|
Dimension 4 - National Cybersecurity Capacity |
|
| Assessment of stakeholders outside the sector, such as national Critical Infrastructure Protection (CIP) agencies or supply chains. | This involves evaluating national or state-level capabilities in cyber defense, intelligence, law enforcement, forensics, and certifications established by state or professional unions. |
Practice domains
The five practice domains encompass 46 existing good practices:
- Organization: Roles and responsibilities for firm-level cybersecurity governance, incident response teams.
- Process: Management decisions and contingency plans in the cyber area, baseline configuration of ICT systems, information sharing.
- People: Cybersecurity awareness training, access management, human risks, compliance with industry standards.
- Tools: Cloud services, endpoint protection, networking infrastructure, cyber threat intelligence, encryption.
- Compliance: Effectiveness of governance requirements and regulations, risk management concerning external dependencies.
Each domain is analyzed in every dimension to provide a comprehensive view of the sector's cyber maturity level. By populating the matrix with real data, we can understand the sector's current state and present the findings effectively.
The PROGRESS Capability Maturity Matrix
By analyzing the dimensions and practice domains, we gain a holistic understanding of the sector. The results are presented in the form of a matrix, which can accommodate any number of nodes and links.
We suggest elaborating on cooperation opportunities on sectoral cyber assessments, and framework development that may help optimize efforts and investments in digital transformation. We suggest you contact us for further details!
To find out more about PROGRESS and see how you can benefit, please contact Lior Tabansky
You can also access the article "Incorporating Systems Thinking into a Cyber Resilience Maturity Model" at IEEE ENGINEERING MANAGEMENT REVIEW to read more about the PROGRESS model.
