User:SeanPMConnors

Historical background
In the Information Technology industry IT, the evolution of the Capability Maturity Model CMM began with Capability modeling for software development. The security component was limited to elements for development of software applications. With the advent of many cybersecurity solutions providers (CSP), providing defenses, including those that developed cybersecurity solutions into their products, like CISCO networks, and others that were solely CSP's, the model became outdated. It failed to include the elements outside of the application. It reflected just one part of Application Security (AppSec).In the energy industry a cybersecurity capability maturity model developed, named C2M2. It has been progressive in addressing measurement specific to SCADA compliance, but also did not include all elements or areas of cybersecurity.

Cybersecurity solution providers, or vendors gravitated to solutions that were specific to their areas of expertise or market share. Initially there was a lot of emphasis on an all inclusive solution using technology, which later changed to incorporate social engineering, the human behavior element, only in the last 5 years, leading up to 2015. This was because of the trend of, successful cyber attacks, beginning with user behavior, that was unable to be controlled with a technically solution. The big omission, cyber security awareness training.

a Cybersecurity Strategy
The steps to accomplish a defense using Cybersecurity Defense Providers (CDP).

Defenses
As the insurance industry began servicing companies with cybersecurity insurance, It became apparent that there was a lack of data on 'incidents' unlike for example, hurricanes or wildfires. There has been an attempt to measure capability on network incidents, that is, attack attempts on IP addresses and even more sophisticated traffic analysis. This however renders useless results as a noise signature on any company at the time of an attack has no correlation to the likeliness a breach may occur. Thus capability has to be measured using defenses, or defenses from CSP's at a company.

Measurement
This modeling evolved to address the layouts and encompass all vendors providing cybersecurity solutions, and thereby provide a model that is useful at an executive level, to measure and manage not only its enterprise but those it does business with, and allows access to its systems.

Hence we arrive at a Cybersecurity 5 Layout Capability Maturity model. CS5LCMM.

The defenses are laid out into the Cybersecurity 5 Layout (CS5L):

→2 - Application Security (software systems) →1 - Network Security (communications) →3 - Security Awareness (people, capabilities, and procedures) →4 - Internal Defense (in-house scanning, policies, and controls) →5 - Forensics (CSI and real-time monitoring)

Side Note: The Cybersecurity Strategy 5 layout capability maturity model (CS5LCMM) now inherits the yet to be published Energy sector, CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) https://upload.wikimedia.org/wikipedia/commons/4/4e/Cybersecurity_Strategy_5_layer_CS5L.png