C3WG Launches Data Security Maturity Model


Landmark data security framework from security practitioners defines the practices and methods/tools across different levels of maturity for an organisation’s data security program

The Comprehensive Cyber Capabilities Working Group (C3WG) unveiled a first-of-its-kind Data Security Maturity Model (DSMM). The C3 Working Group is comprised of over a dozen security practitioners across industries working to define what cybersecurity capabilities are needed to protect against today’s threats. The DSMM is the first security model to directly focus on data rather than indirectly covering it in the narrowly-defined context of the devices, applications, or networks where data resides.

“Data has never been treated as a first-class citizen in security frameworks,” said Aaron Stanley, VP of Security at dbt Labs and former Global Head of Cybersecurity at Twilio. “Instead of shoehorning data and privacy into an existing security framework, we are flipping the script, and mapping data concepts to the security controls applied to other asset classes.”

Such an approach is a growing priority for security leaders as enterprise data has become incredibly dynamic in terms of how it is used and where it resides. No longer sequestered in databases, today’s data is constantly being used, modified, and shared by users as it moves between devices, traditional and SaaS applications, and cloud services. A data-centric approach to security ensures that risk context and policy enforcement can be applied to any data and can follow the data wherever it moves or however it is modified.

The initiative started in 2021 with Howard Ting, CEO of Cyberhaven, who assembled the working group. “The way data flows within modern organisations between devices, networks, applications, and people made it clear that existing security frameworks were inadequate,” said Ting. “I brought together a group of like-minded security practitioners who feel passionately as I do that a data-centric perspective is needed. The Data Security Maturity Model is the result of that mission-driven community effort.”

“Data essentially underpins all other security domains,” said Sounil Yu, CISO and Head of Research of JupiterOne. “The C3 Working Group is applying the Cyber Defense Matrix to enumerate security controls across other asset classes (devices, applications, networks, users), evaluating their applicability to the domain of data security. Our ultimate goal is to extend this approach to identifying and filling in the gaps in existing frameworks and define a comprehensive set of capabilities needed to secure and defend the full range of cyber assets.”

The DSMM aligns to the structure of the NIST Cybersecurity Framework, providing a 1-3 level of maturity across the 5 functions of a data security program:

  • Identify and classify
  • Protect
  • Detect
  • Respond
  • Recover and improve

Following the publication of the initial version today, the group will continue developing the model and present an expanded version at the RSA Conference in April. “Today’s release of DSMM v1.0 isn’t the conclusion of our work, it’s really just the beginning,” said Chris Hodson, CSO of Cyberhaven. “We plan to open source the model and build a global community of contributors to develop actionable standards and guidelines as we evolve DSMM into the de facto framework for data protection in the modern enterprise.”