CMMI Institute


The latest information for media, analysts, and others interested in the CMMI® Institute and process improvement.

Organizational Cybermaturity Comes to the Forefront During COVID-19

The worldwide pandemic has touched everyone at different levels.  Across the globe, people are taking additional steps and implementing new routines into their daily lives in order to help slow the spread of the coronavirus.  Many individuals are experiencing remote work for the first time, while companies are realizing that a dispersed workforce comes with unique opportunities and challenges. One of the challenges for organizations that has been underscored by the global pandemic is the increased need for a mature cybersecurity program, one which accounts for less controllable employee access, diverse platforms for business engagement and sundry hardware for operational access.

As the workforce has become more remote throughout the pandemic, each organization has implemented specific requirements for accessing corporate assets and conducting business. These changes have been sweeping in scope and unique to each organization. For example, many schools have approached the pandemic and “stay at home” orders by enabling student access through online portals.  Most colleges and universities were able to smoothly transition into a complete online experience, with physical student out-processing posing the greater challenge. However, many secondary schools had no continuity of operations plan for a pandemic scenario – leaving several school districts scrambling to develop platforms and mechanisms for students to learn remotely. One of the greater challenges to these efforts was ensuring access to online resources for students who, while required to attend school, do not receive compulsory, or consistent, access to the internet. Although programs exist for remote student access, few school districts integrated these options. As such, many students are forced to rely on an impromptu BYOD experience at their homes, with some having inconsistent access or unreliable connections.

Questionable connectivity to online assets is not the only concern companies, schools and other organizations face during this pandemic. Specifically, as online interaction has increased, the scrutiny of the services and platforms providing connectivity has increased as well. One example of this scrutiny are the privacy and security questions that companies such as Zoom have faced over the last week. As companies and teachers have begun to adopt Zoom to host online meetings and classes, students and workers have taken advantage of default settings that can allow them to take over the meeting presentation and display any content of their choosing, ranging from hilarious to profane. Thus, the term Zoom-bombing was coined and the US Federal Bureau of Investigation (FBI) was forced to issue warnings about the software.

Service selection challenges further compound the remote working and learning issue when considered in conjunction with the disparate or non-existent hardware policies that organizations maintain.  Specifically, when developing remote work policies, many companies and organizations find BYOD policies alluring. However, without a consistent system type at each endpoint, companies are unable to fully implement a uniform security policy. As such, organizations with low cybersecurity maturity present attackers with a smorgasbord of options and exploitation opportunities, as each system type carries a different vulnerability profile with unique attack points. Unless BYOD is thoughtfully considered and the appropriate security controls are in place, organizations remain at serious risk of exploitation.

While these types of organizational challenges may paint a bleak picture for cybersecurity professionals and organizations, the reality is that preparedness is possible. If an organization smartly develops and maintains their cybersecurity program in a mature and measured way, they stand a greater chance of making it through this difficult time safely. Measuring cybermaturity consists of several elements, such as creating a risk profile, measuring control application and identifying policy efficacy. Thankfully, through implementing maturity models, such as those presented in the CMMI Cybermaturity Framework and Platform, organizations can strengthen their risk profiles and weather the storm better than their reactionary counterparts.

As we continue to face the generational threat posed by the coronavirus, it is important to remember that hope is not lost. Remote work and learning is gaining in velocity and applicability, and many individuals are still able to work and go on with their lives, albeit in a different fashion. Specifically, organizations confident in their cybersecurity program and mature in their development will stand as strong examples of how to successfully navigate through the pandemic.

Editor’s note: For more resources related to COVID-19, visit ISACA’s Navigating COVID-19 page. Find out more about ISACA's cybermaturity assessments and cybersecurity virtual training.