Skip to Main Content
about
industries
services
professionals
careers
contact us
locations
upload a file
subscribe
insights
events
make a payment
contract with us

insightsarticles

Secure 2.0 Act of 2022 introduces key changes for workplace retirement plans

03.20.23
overview industries services professionals

The Consolidated Appropriations Act, 2023 (Public Law No. 117-328) that was signed into law on December 29, 2022 by President Joe Biden includes the SECURE 2.0 Act of 2022, which introduces over 90 changes to the federal rules governing workplace retirement plans. 

This landmark legislation builds on the original SECURE Act enacted on December 19, 2019, and aims to expand coverage and increase retirement savings while simplifying and clarifying retirement plan rules.

Every employer, whether for-profit or tax-exempt, that currently maintains a qualified retirement plan or is evaluating a future plan should consider implementing these new rules, since the changes are generally beneficial for employees.  

Unless the Internal Revenue Service (IRS) announces otherwise, employers that operate in accordance with the mandatory or optional changes in the law as of the provisions’ applicable effective date have until the end of the plan year beginning in 2025 to adopt the written amendment. Government employers have until the end of their 2027 plan year to amend their plan document. 

To help prioritize the evaluation of the changes, the following summary of the SECURE 2.0 provisions is organized by the year in which the change is required or may be incorporated into plan operations, without regard to the plan type. Future articles will discuss various aspects of SECURE 2.0, including strategic opportunities and implementation challenges for employers.

Changes with immediate effective dates

Insight: Employers need to consider immediately updating employee notices and plan procedures for these important changes in the law.

  • Later Required minimum distributions (RMDs). SECURE 2.0 increases the age at which retirement plan participants must begin receiving RMDs from 72 to 73, starting January 1, 2023. The original SECURE Act increased the starting age for RMDs from 70½ to 72. 
  • Aggregation of distributions on tax-preferred retirement accounts that hold annuities. Effective December 29, 2022, RMDs can be determined by aggregating distributions from both the annuity and non-annuity investments.
  • Reduced excise tax for a failure to take RMDs. Effective for taxable years beginning after December 29, 2022, the excise tax rate is reduced from 50% to 25% of the missed RMD for workplace retirement plans and IRAs. Further, if an IRA makes a corrective distribution generally within two years, the excise tax is reduced to 10% for the IRA (but not for workplace retirement plans).
  • Encourages life annuities. SECURE 2.0 eliminates certain actuarial tests in the RMD regulations that operated as barriers to the availability of life annuities in qualified plans and IRAs. Effective for contracts purchased or received in an exchange on or after December 29, 2022, SECURE 2.0 repeals the 25% limit and allows up to $200,000 (indexed) to be used from an account balance to purchase a qualifying longevity annuity contract (QLAC). It also clarifies that “free look” periods are permitted up to 90 days for contracts purchased or received in an exchange on or after July 14, 2014. 
  • Reduces disclosures for unenrolled employees. Effective for plan years beginning after December 31, 2022, employers are no longer required to provide most notices under ERISA or IRS rules to employees who do not participate in the employer’s retirement plan. However, employers must provide an annual reminder of the employee’s eligibility and deadline, if applicable, to participate in the plan. Employers must also provide such individuals with any plan documents they request.
  • Allows incentives for 401(k) and 403(b) elections. Effective for plan years beginning after December 29, 2022, employers may provide de minimis financial benefits, such as low-value gift cards, as an incentive for employees to elect to contribute to a 401(k) or 403(b) plan without violating IRS’s “contingent benefit rule.”

    Insight: The legislation does not define what dollar amount would be considered de minimis, so IRS guidance is needed. Based on long-standing IRS guidance in other contexts (for example, “de minimis” fringe benefits) the dollar value threshold is very low, which may not be sufficient to motivate anyone to enroll in the plan. The incentives cannot be paid from plan assets. 
     
  • Employer contributions may be designated as Roth contributions. Effective December 29, 2022, employers may allow plan participants to designate employer matching and nonelective contributions as after-tax Roth contributions. Such contributions would be included in the participant’s taxable wage income for the year made. Employer contributions designated as Roth contributions must be immediately 100% vested. 
  • Permanent relief for federally declared disasters. Effective for federally declared disasters occurring on or after January 26, 2021 (i.e., this provision is effective retroactively), plans or IRAs may allow affected participants additional access to retirement funds. Penalty-free distributions up to $22,000 per participant, per disaster may be taken into taxable income over three years and participants can recontribute those amounts to a tax-preferred retirement account within three years. Plans can also increase the affected participant’s loan limit to $100,000 (instead of the regular $50,000 loan limit) or the participant’s vested account balance. Also, if the affected participant has a non-disaster plan loan outstanding, the repayment period can be extended by one year. 

    Insight: This is permanent relief that eliminates the need for specific disaster relief to be issued by the IRS.
     
  • Reliance on employee’s certification for hardship distributions. For plan years beginning after December 29, 2022, plan sponsors can rely on employees’ self-certification that the employee has experienced a deemed hardship for purposes of taking a hardship withdrawal from a 401(k) or 403(b) plan and that the distribution is not in excess of the amount required to satisfy the financial need. Future regulations might restrict reliance if the sponsor has information that contradicts the employee’s certification. 
  • 10% early withdrawal penalty waived for terminally ill. Effective for distributions made after December 29, 2022, the 10% penalty on early withdrawals before age 59 1/2 is waived for distributions to terminally ill individuals whose physician certifies that they have a condition that is expected to result in death within 84 months.
  • Repayment of qualified birth or adoption distributions. Effective for distributions made after December 29, 2022 (and retroactively to the three-year period beginning on the day after the date on which such distribution was received), repayment of qualified birth or adoption distributions is limited to three years. Previously, such distributions could be recontributed at any time, but due to the IRS’s three-year statute of limitations to amend an income tax return, taxpayers might not receive a refund of the taxes that were paid in the year of withdrawal. This change aligns the repayment period with the eligibility for refund. 
  • Cash balance plan interest crediting rates. Effective for plan years beginning after December 29, 2022, cash balance plans with variable interest crediting rates may use a projected “reasonable” interest crediting rate that does not exceed 6%. This means that those plans can use graded pay credits that increase for older, longer service workers without risking failing the anti-backloading rules that otherwise may create problems for cash balance plans that use market-based interest crediting rates. 
  • Elimination of variable rate premium indexing. Effective on December 29, 2022, SECURE 2.0 replaces the “applicable dollar amount” language for determining the premium funding target for purposes of unfunded vested benefits and replaces it with a flat $52 for each $1,000 of unfunded vested benefits.
  • Correction of mortality tables. Effective December 29, 2022, pension plans are not required to assume certain mortality improvements. The IRS must amend the applicable regulations within 18 months.
  • 403(b) investments in Collective Investment Trusts (CITs). Effective December 29, 2022, CITs are permissible investments for 403(b) plans. Previously, under IRS rules, 403(b) plans could invest only in mutual funds or annuity contracts, which generally have higher fees than CITs.

    Insight: Although this changes the tax rules, it appears that federal securities laws will need to be updated before 403(b) plans can invest in CITs.
     
  • Multiple Employer 403(b) Plans. Effective for plan years beginning after December 31, 2022, 403(b) plans can participate in Multiple Employer Plans (MEPs).
  • Expanded Employee Plans Compliance Resolution System (EPCRS). Effective December 29, 2022, SECURE 2.0 enhances the IRS’s self-correction program to: (1) allow more types of errors to be self-corrected without an IRS filing, (2) apply to inadvertent IRA errors, and (3) exempt certain RMD failures from the otherwise applicable excise tax. For example, operational errors that can be self-corrected without an IRS filing now include significant errors and plan loan errors, provided the error is corrected within a reasonable time after it is discovered (and the IRS has not identified the error). Employers are no longer required to attempt to recoup certain overpayments made to participants. The IRS was directed to update the EPCRS revenue procedure accordingly within two years and the US Department of Labor (DOL) is required to coordinate its Voluntary Fiduciary Compliance Program (VFCP) accordingly.
  • Auditor’s report for “group of plans." Effective December 29, 2022, defined contribution plans filing a single Form 5500 as a “group of plans” must submit an auditor’s opinion if any plan in the group, individually, has 100 participants or more at the beginning of the plan year. The auditor’s report will relate only to each individual plan that would otherwise be subject to an independent accountant’s report. Thus, the DOL and the IRS will continue to receive the same number of audit reports (and content) about plans with 100 or more participants that would be filed if the “group of plans” was not filed as a single Form 5500.
  • $500 small plan tax credit for military spouses. Effective for taxable years beginning after December 29, 2022, employers with 100 or fewer employees earning at least $5,000 in annual compensation can receive a general tax credit of up to $500 for three years, if they make military spouses (1) eligible for defined contribution plan participation within two months of hire; (2) upon plan eligibility, they are eligible for any match or non-elective contribution that they would have been otherwise eligible for at two years of service; and (3) 100% vested in employer contributions. The credit is $200 per participating non-highly compensated military spouse, plus 100% of employer contributions made to the military spouse, up to $300. No credit is available for highly compensated employees. The credit is available for the year the military spouse is hired and the two succeeding taxable years. Employers may rely on the employee’s certification that they are an eligible military spouse.
  • Small employer plan start-up credit. Effective for taxable years beginning after December 31, 2022, the start-up credit for adopting a workplace retirement plan increases from 50% to 100% of administrative costs for small employers with up to 50 employees. The credit remains 50% for employers with 51-100 employees. Employers with a defined contribution plan may also receive an additional credit based on the amount of employer contributions of up to $1,000 per employee. This additional credit phases out over five years for employers with 51-100 employees. The start-up credits are available for three years to employers that join an existing MEP, regardless of how long the plan has been in existence. The MEP rule is retroactively effective for taxable years beginning after December 31, 2019.
  • SIMPLE and Simplified Employee Pension (SEP) Roth IRAs. Effective for taxable years beginning after December 31, 2022, SIMPLE IRAs can accept Roth (i.e., after-tax) contributions. In addition, employers can offer employees the ability to treat employee and employer SEP contributions as Roth contributions (in whole or in part).
  • SEPs for Domestic Workers. Effective for tax years beginning after December 29, 2022, employers of domestic employees (nannies, housekeepers, etc.) can provide retirement benefits for those employees under a SEP. Previously, employers were not permitted to offer domestic employees a workplace retirement plan because the employer was not engaged in a trade or business.

Changes effective in 2024

The following changes take effect in 2024. Employers should consider how these changes may affect their plan document and operation.

  • Elimination of RMDs for Roth 401(k) and 403(b) plans. Currently, Roth IRAs are not subject to RMDs before the account owner’s death, but RMDs from Roth 401(k) and 403(b) plans generally must begin at age 72. Effective for taxable years beginning after December 31, 2023, SECURE 2.0 eliminates the pre-death RMD requirement for Roth 401(k) and 403(b) plans. However, this change does not apply to distributions that are required with respect to years beginning before January 1, 2024 but are permitted to be paid on or after that date. 
  • RMDs for surviving spouses. Effective for calendar years beginning after December 21, 2023, surviving spouses can elect to be treated as the deceased employee for purposes of the RMD rules.
  • Student loan repayments matching contributions. Effective for contributions made for plan years beginning after December 31, 2023, employers may treat an employee’s qualified student loan payments as employee contributions to a 401(k) plan, 403(b) plan, governmental 457(b) plan, or SIMPLE IRA that is entitled to an employer matching contribution. For nondiscrimination testing of elective contributions, plans may separately test the employees who receive matching contributions on student loan repayments. Eligible student loan repayments include any indebtedness incurred by the employee solely to pay his or her qualified higher education expenses (in other words, student loan debt for an employee’s children is not eligible). 

    Insight: This provision is in response to years of retirement industry pressure, based on the notion that employees who are overwhelmed with student debt may not be able to save for retirement and are missing out on available matching contributions.
     
  • Emergency savings accounts. Effective for plan years beginning after December 31, 2023, employers may amend their defined contribution plans to offer short-term emergency savings accounts to non-highly compensated employees. These accounts will be funded with after-tax Roth salary deferrals up to $2,500 (indexed for inflation). Participants can make up to one withdrawal per month. Employers may automatically enroll employees into these accounts at no more than 3% of their salary. Contributions are treated as after-tax elective deferrals and are eligible to receive matching contributions. The first four withdrawals each plan year cannot be subject to any withdrawal fees. When employees terminate employment, they may take their emergency savings accounts as cash or roll them over into their new employer’s Roth 401(k) plan (if any) or into a Roth IRA. 

    Insight: Although this sounds simple, over 33 pages of legislative text amending both ERISA and the Internal Revenue Code (IRC) were needed to create this new law. IRS and/or DOL guidance will be needed before employers can implement this optional plan design feature.
     
  • Rothification of catch-up contributions for high earners. Effective for taxable years beginning after December 31, 2023, catch-up contributions for participants who are 50 or older and who earned more than $145,000 in the prior year (indexed for inflation) must be made on a Roth (after-tax) basis. Also, retirement plan service providers can provide automatic portability services (that is, the plan automatically could move such forced cash-outs into a default IRA or into the employee’s new employer’s retirement plan, unless the participant opts out).
  • Higher forced rollover limit. The involuntary IRA rollover limit is increased from $5,000 to $7,000 for distributions made after December 31, 2023. Thus, workplace retirement plans can force a tax-free rollover distribution without the participant’s consent if the participant’s account is over $1,000 but less than $7,000, when the participant is otherwise eligible to receive a distribution from the plan.
  • Retroactively amending plan to increase benefits for prior plan year. Effective for plan years beginning after December 31, 2023, employers can retroactively amend a workplace retirement plan to increase participants’ benefits for the prior plan year, so long as the amendment is adopted no later than the extended due date of the employer’s federal income tax return for the such prior year.

    Insight: For decades, employers could fund a workplace retirement plan for the prior year, so long as the contribution was deposited into the plan no later than the extended due date of the employer’s federal income tax return. The original SECURE Act improved on that concept by allowing employers to retroactively adopt a new workplace retirement plan (e.g., an ESOP, cash balance plan, or profit-sharing plan) for the prior year, so long as it was adopted no later than the extended due date of the employer’s federal income tax return for the prior year. That change allowed employers to finalize their financials for the tax year before contributing to the retirement plan. SECURE 2.0 further expands employer flexibility by allowing employers to retroactively adopt amendments to increase plan benefits for the prior plan year.
     
  • Waiver of early withdrawal penalties for certain distributions. Effective for distributions made after December 31, 2023, the 10% penalty on early withdrawals before age 59 1/2 is waived for certain distributions. Participants can self-certify that they meet the criteria for (i) up to $1,000 per year for certain unforeseen personal or family emergency expenses, and (ii) up to the lesser of $10,000 (indexed for inflation) or 50% of the participant’s vested account balance for distributions in connection with domestic abuse (for example, when the participant needs funds to escape an unsafe situation). Participants may repay the withdrawn money over three years and claim a refund for the income taxes paid on the distribution. However, additional emergency distributions are prohibited for three years unless repayment occurs.
  • Permanent safe harbor for correcting auto-enrollment and auto-escalation failures. Effective for errors that occur after December 31, 2023, the current safe harbor for correcting employee elective deferral elections becomes permanent. The existing safe harbor was scheduled to expire on December 31, 2023.

    Insight: Plans that use auto-enrollment and auto-escalation can avoid significant penalties for honest mistakes if notice is given to the employee, correct deferrals begin within certain time periods, and the employer provides the employee with any matching contributions that would have been made had the failure not occurred. Corrections generally must be made before 9 ½ months after the end of the plan year in which the mistakes were made.
     
  • Uniform rollover forms. No later than January 1, 2025, the IRS must issue sample forms for direct rollovers that may be used by the distributing or receiving retirement plan or IRA. This is intended to simplify and standardize the tax-free rollover process.
  • 403(b) hardship distributions conform to 401(k) rules. Effective for plan years beginning after December 31, 2023, SECURE 2.0 aligns the 403(b) plan hardship distribution rules with the 401(k) plan hardship distribution rules. This change brings the rules for the operation and administration of 403(b) plans closer to those for 401(k) plans.
  • Starter 401(k) or 403(b) plans. Employers that do not sponsor a workplace retirement plan may offer a new, safe harbor “starter” deferral-only plan that automatically enrolls employees at 3% to 15% of their compensation. The annual contribution limit is the same as for IRAs ($6,500, with an additional $1,000 for catch up contributions for employees who are age 50 or older). Starter plans are exempt from most nondiscrimination testing rules. This change is effective for plan years beginning after December 31, 2023.
  • Separate top-heavy tests allowed. Effective for plan years beginning after December 31, 2023, employers can separately test excludable and non-excludable employees when determining whether the plan is top heavy.

    Insight: This change may increase retirement plan coverage for more workers because it removes the general requirement for employers to contribute 3% of compensation to all employees who are eligible to participate in a top-heavy plan.
     
  • SIMPLE plan updates. Effective for plan years beginning after December 31, 2023, employers may replace a SIMPLE IRA during the plan year with a SIMPLE 401(k) that requires mandatory employer contributions. Also, employers with SIMPLE plans may make additional employer contributions above the existing 2% of compensation or 3% of employee elective deferrals requirement. Additional employer contributions must be uniformly made and cannot exceed the lesser of 10% of compensation or $5,000 (indexed for inflation). In addition, the annual deferral limit and the catch-up contribution at age 50 are increased by 10% percent in the case of an employer with no more than 25 employees. An employer with 26 to 100 employees would be permitted to provide higher deferral limits, but only if the employer either provides a 4% matching contribution or a 3% employer contribution.
  • Reform of family attribution rules. Effective for plan years beginning after December 31, 2023, two changes to the family attribution rules provide relief to certain related businesses. One change addresses inequities between spouses with separate businesses who reside in a community property state and spouses who reside in a separate property state. The other change modifies attribution of stock ownership between parents and minor children.

    Insight: These changes will help businesses owned by each spouse provide retirement benefits to their respective employees only.  
     
  • Improved defined benefit plan annual funding notices. Effective for plan years beginning after December 31, 2023, defined benefit plan annual funding notices will be revised to identify more clearly the plan’s funding status.
  • Indexing IRA catch-up limit. Effective for taxable years beginning after December 31, 2023, the $1,000 catch-up limit for IRAs for individuals 50 and older will be indexed annually for inflation, in multiples of $100 (rounding down to the next lower multiple of $100).
  • Section 529 rollovers. Effective for distributions after December 31, 2023, beneficiaries of an IRC Section 529 college savings account that has been open for more than 15 years can roll over up to $35,000 from any 529 account in their name to a Roth IRA over the course of their lifetime. Such rollovers are subject to annual contribution limits to Roth IRAs. This new rollover feature may encourage contributions to 529 plans since they can now be used for retirement and not just for college.
  • Retirement savings lost and found. DOL must create a lost and found database no later than December 29, 2024, to help reunite participants with money that they may have left behind in workplace retirement savings plans. 

    Insight: This may help employers deal with missing participants and uncashed checks.

Changes effective in 2025

The following changes take effect in 2025. Employers should consider how these changes may affect their plan document and operation.

  • Later RMDs. On January 1, 2025, the RMD starting age increases from 73 to 75. 
  • Mandatory automatic enrollment for new plans. New 401(k) and 403(b) plans adopted after December 29, 2022, must provide for automatic contributions for plan years starting after December 31, 2024. The deferral percentage must be between 3% and 10% of compensation, with automatic escalation of at least 1% per year up to a deferral rate of not less than 10% but not more than 15% (10% until January 1, 2025). Participants can opt out of automatic enrollment or automatic escalation.

    Insight: Plans in effect on or before December 29, 2022, are exempt from the new requirements.
     
  • Catch-up contribution increases. Participants age 50 and older can make a catch-up contribution in 2023 of $7,500, as indexed except in the case of SIMPLE plans that are limited to $3,500, as indexed.  Effective for taxable years beginning after December 31, 2024, the catch-up contribution limits for participants who are age 60 to 63 will increase to the greater of (i) $10,000 or (ii) 150% of the regular catch-up contribution limit for 2024 (indexed for inflation after 2025).
  • Coverage of long-term part-time employees. Under the original SECURE Act, part-time employees who work at least 500 hours per year for at least three consecutive years, and who have reached age 21 as of the end of the three-year period, must be allowed to enroll and make elective deferrals under the employer’s 401(k) plan at the end of the three-year period. Those employees also earn vesting credit for years with 500 hours of service. Effective for plan years beginning after December 31, 2024, SECURE 2.0 reduces the three-year period to two years and disregards service before January 1, 2021, for both eligibility and vesting. It also extends the rule to 403(b) plans that are subject to ERISA (not all 403(b) plans are subject to ERISA). This rule does not apply to union plans or defined benefit plans.
  • Distributions for certain long-term care premiums. Effective December 29, 2025, retirement plans can distribute up to $2,500 per year to pay for certain long-term care insurance premiums. Such distributions are exempt from the 10% early withdrawal penalty that might otherwise apply.

Next steps 

While many of the retirement plan provisions in SECURE 2.0 are not effective until later years (including some, like the new federal “Saver’s Match” and mandatory paper benefit statements, that will not take effect until 2026), a number of important provisions require immediate attention. Some of the changes are especially helpful to small employers. 

Almost all workplace retirement plans will need to be reviewed for possible amendments and operational changes to reflect SECURE 2.0. 

While further guidance on many of the new provisions is needed, employers should review their plan document and operations in the meantime to determine what, if any, amendments will be needed, what operations need to be changed, and what systems or processes should be updated. 

Written by Joan Vines and Norma Sharara. Copyright © 2023 BDO USA, LLP. All rights reserved. www.bdo.com

Topics: employee benefits, Employee Benefits and Financial Institutions

Related Industries

Related Services

Accounting and Assurance

Employee Benefit Audits

Related Professionals

Principals

  • William G. Enck
    William Enck
    Principal
    Financial Services, Insurance Agencies
    T 207.541.2300

BerryDunn experts and consultants

Professional
William Enck
Professional
Kristin Courtemanche

Do you know what would happen to your company if your CEO suddenly had to resign immediately for personal reasons? Or got seriously ill? Or worse, died? These scenarios, while rare, do happen, and many companies are not prepared. In fact, 45% of US companies do not have a contingency plan for CEO succession, according to a 2020 Harvard Business Review study.  

Do you have a plan for CEO succession? As a business owner, you may have an exit strategy in place for your company, but do you have a plan to bridge the leadership gap for you and each member of your leadership team? Does the plan include the kind of crises listed above? What would you do if your next-in-line left suddenly? 

Whether yours is a family-owned business, a company of equity partners, or a private company with a governing body, here are things to consider when you’re faced with a situation where your CEO has abruptly departed or has decided to step down.  

1. Get a plan in place. First, assess the situation and figure out your priorities. If there is already a plan for these types of circumstances, evaluate how much of it is applicable to this particular circumstance. For example, if the plan is for the stepping down or announced retirement of your CEO, but some other catastrophic event occurs, you may need to adjust key components and focus on immediate messaging rather than future positioning. If there is no plan, assign a small team to create one immediately. 

Make sure management, team leaders, and employees are aware and informed of your progress; this will help keep you organized and streamline communications. Management needs to take the lead and select a point person to document the process. Management also needs to take the lead in demeanor. Model your actions so employees can see the situation is being handled with care. Once a strategy is identified based on your priorities, draft a plan that includes what happens now, in the immediate future, and beyond. Include timetables so people know when decisions will be made.  

2. Communicate clearly, and often. In times of uncertainty, your employees will need as much specific information as you can give them. Knowing when they will hear from you, even if it is “we have nothing new to report” builds trust and keeps them vested and involved. By letting them know what your plan is, when they’ll receive another update, what to tell clients, and even what specifics you can give them (e.g., who will take over which CEO responsibility and for how long), you make them feel that they are important stakeholders, and not just bystanders. Stakeholders are more likely to be strong supporters during and after any transition that needs to take place. 

3. Pull in professional help. Depending on your resources, we recommend bringing in a professional to help you handle the situation at hand. At the very least, call in an objective opinion. You’ll need someone who can help you make decisions when emotions are running high. Bringing someone on board that can help you decipher what you have to work with and what your legal and other obligations may be, help rally your team, deal with the media, and manage emotions can be invaluable during a challenging time. Even if it’s temporary. 

4. Develop a timeline. Figure out how much time you have for the transition. For example, if your CEO is ill and will be stepping down in six months, you have time to update any existing exit strategy or succession plan you have in place. Things to include in the timeline: 

  • Who is taking over what responsibilities? 
  • How and what will be communicated to your company and stakeholders? 
  • How and what will be communicated to the market? 
  • How will you bring in the CEO's replacement, while helping the current CEO transition out of the organization? 

If you are in a crisis situation (e.g., your CEO has been suddenly forced out or asked to leave without a public explanation), you won’t have the luxury of time.  

Find out what other arrangements have been made in the past and update them as needed. Work with your PR firm to help with your change management and do the right things for all involved to salvage the company’s reputation. When handled correctly, crises don’t have to have a lasting negative impact on your business.   

5. Manage change effectively. When you’re under the gun to quickly make significant changes at the top, you need to understand how the changes may affect various parts of your company. While instinct may tell you to focus externally, don’t neglect your employees. Be as transparent as you possibly can be, present an action plan, ask for support, and get them involved in keeping the environment positive. Whether you bring in professionals or not, make sure you allow for questions, feedback, and even discord if challenging information is being revealed.  

6. Handle the media. Crisis rule #1 is making it clear who can, and who cannot, speak to the media. Assign a point person for all external inquiries and instruct employees to refer all reporter requests for comment to that point person. You absolutely do not want employees leaking sensitive information to the media. 
 
With your employees on board with the change management action plan, you can now focus on external communications and how you will present what is happening to the media. This is not completely under your control. Technology and social media changed the game in terms of speed and access to information to the public and transparency when it comes to corporate leadership. Present a message to the media quickly that coincides with your values as a company. If you are dealing with a scandal where public trust is involved and your CEO is stepping down, handling this effectively will take tact and most likely a team of professionals to help. 

Exit strategies are planning tools. Uncontrollable events occur and we don’t always get to follow our plan as we would have liked. Your organization can still be prepared and know what to do in an emergency situation or sudden crisis.  Executives move out of their roles every day, but how companies respond to these changes is reflective of the strategy in place to handle unexpected situations. Be as prepared as possible. Own your challenges. Stay accountable. 

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Crisis averted: Why you need a CEO succession plan today

Read this if your CFO has recently departed, or if you're looking for a replacement.

With the post-Covid labor shortage, “the Great Resignation,” an aging workforce, and ongoing staffing concerns, almost every industry is facing challenges in hiring talented staff. To address these challenges, many organizations are hiring temporary or interim help—even for C-suite positions such as Chief Financial Officers (CFOs).

You may be thinking, “The CFO is a key business partner in advising and collaborating with the CEO and developing a long-term strategy for the organization; why would I hire a contractor to fill this most-important role?” Hiring an interim CFO may be a good option to consider in certain circumstances. Here are three situations where temporary help might be the best solution for your organization.

Your organization has grown

If your company has grown since you created your finance department, or your controller isn’t ready or suited for a promotion, bringing on an interim CFO can be a natural next step in your company’s evolution, without having to make a long-term commitment. It can allow you to take the time and fully understand what you need from the role — and what kind of person is the best fit for your company’s future.

BerryDunn's Kathy Parker, leader of the Boston-based Outsourced Accounting group, has worked with many companies to help them through periods of transition. "As companies grow, many need team members at various skill levels, which requires more money to pay for multiple full-time roles," she shared. "Obtaining interim CFO services allows a company to access different skill levels while paying a fraction of the cost. As the company grows, they can always scale its resources; the beauty of this model is the flexibility."

If your company is looking for greater financial skill or advice to expand into a new market, or turn around an underperforming division, you may want to bring on an outsourced CFO with a specific set of objectives and timeline in mind. You can bring someone on board to develop growth strategies, make course corrections, bring in new financing, and update operational processes, without necessarily needing to keep those skills in the organization once they finish their assignment. Your company benefits from this very specific skill set without the expense of having a talented but expensive resource on your permanent payroll.

Your CFO has resigned

The best-laid succession plans often go astray. If that’s the case when your CFO departs, your organization may need to outsource the CFO function to fill the gap. When your company loses the leader of company-wide financial functions, you may need to find someone who can come in with those skills and get right to work. While they may need guidance and support on specifics to your company, they should be able to adapt quickly and keep financial operations running smoothly. Articulating short-term goals and setting deadlines for naming a new CFO can help lay the foundation for a successful engagement.

You don’t have the budget for a full-time CFO

If your company is the right size to have a part-time CFO, outsourcing CFO functions can be less expensive than bringing on a full-time in-house CFO. Depending on your operational and financial rhythms, you may need the CFO role full-time in parts of the year, and not in others. Initially, an interim CFO can bring a new perspective from a professional who is coming in with fresh eyes and experience outside of your company.

After the immediate need or initial crisis passes, you can review your options. Once the temporary CFO’s agreement expires, you can bring someone new in depending on your needs, or keep the contract CFO in place by extending their assignment.

Considerations for hiring an interim CFO

Making the decision between hiring someone full-time or bringing in temporary contract help can be difficult. Although it oversimplifies the decision a bit, a good rule of thumb is: the more strategic the role will be, the more important it is that you have a long-term person in the job. CFOs can have a wide range of duties, including, but not limited to:

  • Financial risk management, including planning and record-keeping
  • Management of compliance and regulatory requirements
  • Creating and monitoring reliable control systems
  • Debt and equity financing
  • Financial reporting to the Board of Directors

If the focus is primarily overseeing the financial functions of the organization and/or developing a skilled finance department, you can rely — at least initially — on a CFO for hire.

Regardless of what you choose to do, your decision will have an impact on the financial health of your organization — from avoiding finance department dissatisfaction or turnover to capitalizing on new market opportunities. Getting outside advice or a more objective view may be an important part of making the right choice for your company.

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Three reasons to consider hiring an interim CFO

As a leader in a higher education institution, you'll be familiar with this paradox: Every solution can lead to more problems, and every answer can lead to more questions. It’s like navigating an endless maze. When it comes to mobile apps, the same holds true. So, the question: Should your institution have a mobile app? The Answer? Absolutely.

Devices, not computers, are how millenials communicate, gather, inform, and engage. Millennials, on average, spend 90 hours per month on mobile apps, not including web searches and website visits.

Students are no exception. A 2016 Nielsen study showed that 98% of millennials aged 18 – 24, and 97% of millennials aged 25 – 34, owned a smartphone, while a 2017 comScore report stated that one out of five millennials no longer use desktop devices, including laptops. Mobile apps have quickly filled the desktop void, and as students grow more reliant on mobile technology, colleges and universities are in the mix, creating apps to bolster student engagement.

So should you create an app? Here are some questions you should answer before creating a mobile app. Welcome to the labyrinth! But don’t be frustrated—answer these questions to help you avoid dead ends and overspending.

1. Is a mobile app part of your IT Strategy? Including a mobile app in your IT strategy minimizes confusion at all levels about the objectives of mobile app implementation. It also helps dictate whether an institution needs multiple mobile apps for various functions, or a primary app that connects users with other functionality. If an institution has multiple campuses, should you align all campuses with a single app, or if will each campus develop their own?

2. What will the app do? Mobile apps can perform a multitude of functions, but for the initial implementation, select a few key functions in one main area, such as academics or student life. Institutions can then add functionality in the future as mobile adoption grows, and demand for more functions increases.

3. Who will use the app? Mobile apps certainly improve engagement throughout the student life cycle—from prospect to student to alumni—but they also present opportunities for increased faculty, staff, and community engagement. And while institutions should identify the immediate audience of the app, they should also identify future users, based upon functionality.

4. Who will manage the app? Institutions should determine who is going to manage the mobile app, and how. The discussion should focus on access, content, and functionality. Is the institution going to manage everything in house, from development to release to support, or will a mobile app vendor provide this support under contract? Depending on your institution, these discussions will vary.

5. What data will the app use? Like any new software system, an app is only as good as its supporting data. It’s important to assess the systems to integrate with the mobile app, and determine if the systems’ data is up-to-date and ready for integration. Consider the use of application program interfaces, or APIs. APIs allow apps and platforms to interact with one another. They can enable social media, news, weather, and entertainment apps to connect with your institution’s app, enhancing the user experience with more content for users.

6. How much data security does your app need? Depending on the functionality of the app you create, you will need varying degrees of security, including user authentication safeguards and other protections to keep information safe.

7. How much can you spend for the app? Your institution should decide how much you will spend on initial app development, with an eye toward including maintenance and development costs for future functionality. Complexity increases costs, so you will need to  budget accordingly. Include budget planning for updates and functionality improvements after launch.

You will also need to establish a timeline for the project and roll out. And note that apps deployed toward the end of the academic year experience less adoption than apps deployed at the beginning of the academic year.

Once your institution answers these questions, you will be off to a good start. And as I stated earlier, every answer to a question can lead to more questions. If your institution needs help navigating the mobile app labyrinth, please reach out to me

Article
The mobile app labyrinth: Seven questions higher education institutions should ask

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG: Developing new ones can be difficult  we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

Read our next cybersecurity playbook article, External capacity: Cybersecurity playbook for management #4here.

Article
Tapping your internal capacity for better results: Cybersecurity playbook for management #3

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: How much can we afford? Are they a right fit for the team and its playing style? Do the owners approve?

Management has to answer similar questions when selecting and implementing a cybersecurity maturity model, and form the basis of this blog – chapter 2 in BerryDunn’s Cybersecurity Playbook for Management.

What are the main factors a manager should consider when selecting a maturity model?
RG: All stakeholders, including managment, should be able to easily understand the model. It should be affordable for your organization to implement, and its outcomes achievable. It has to be flexible. And it has to match your industry. It doesn’t make a lot of sense to have an IT-centric maturity model if you’re not an extremely high-tech organization. What are you and your organization trying to accomplish by implementing maturity modeling? If you are trying to improve the confidentiality of data in your organization’s systems, then the maturity model you select should have a data confidentiality domain or subject area.

Managers should reach out to their peer groups to see which maturity models industry partners and associates use successfully. For example, Municipality A might look at what Municipality B is doing, and think: “How is Municipality B effectively managing cybersecurity for less money than we are?” Hint: there’s a good chance they’re using an effective maturity model. Therefore, Municipality A should probably select and implement that model. But you also have to be realistic, and know certain other factors—such as location and the ability to acquire talent—play a role in effective and affordable cybersecurity. If you’re a small town, you can’t compare yourself to a state capital.

There’s also the option of simply using the Cybersecurity Capability Maturity Model (C2M2), correct?
RG: Right. C2M2, developed by the U.S. Department of Energy, is easily scalable and can be tailored to meet specific needs. It also has a Risk Management domain to help ensure that an organization’s cybersecurity strategy supports its enterprise risk management strategy.

Once a manager has identified a maturity model that best fits their business or organization, how do they implement it?
RG: STEP ONE: get executive-level buy-in. It’s critical that executive management understands why maturity modeling is crucial to an organization's security. Explain to them how maturity modeling will help ensure the organization is spending money correctly and appropriately on cybersecurity. By sponsoring the effort, providing adequate resources, and accepting the final results, executive management plays a critical role in the process. In turn, you need to listen to executive management to know their priorities, issues, and resource constraints. When facilitating maturity modeling, don’t drive toward a predefined outcome. Understand what executive management is comfortable implementing—and what the business or organization can afford.

STEP TWO: Identify leads who are responsible for each domain or subject area of the maturity model. Explain to these leads why the organization is implementing maturity modeling, expected outcomes, and how their input is invaluable to the effort’s success. Generally speaking, the leads responsible for subject areas are very receptive to maturity modeling, because—unlike an audit—a maturity model is a resource that allows staff to advocate their needs and to say: “These are the resources I need to achieve effective cybersecurity.”

Third, have either management or these subject area leads communicate the project details to the lower levels of the organization, and solicit feedback, because staff at these levels often have unique insight on how best to manage the details.

The fourth step is to just get to work. This work will look a little different from one organization to another, because every organization has its own processes, but overall you need to run the maturity model—that is, use the model to assess the organization and discover where it measures up for each subject area or domain. Afterwards, conduct work sessions, collect suggestions and recommendations for reaching specific maturity levels, determine what it’s going to cost to increase maturity, get approval from executive management to spend the money to make the necessary changes, and create a Plan of Action and Milestones (POA&M). Then move forward and tick off each milestone.

Do you suggest selecting an executive sponsor or an executive steering committee to oversee the implementation?
RG: Absolutely. You just want to make sure the executive sponsors or steering committee members have both the ability and the authority to implement changes necessary for the modeling effort.

Should management consider hiring vendors to help implement their cybersecurity maturity models?
RG: Sure. Most organizations can implement a maturity model on their own, but the good thing about hiring a vendor is that a vendor brings objectivity to the process. Within your organization, you’re probably going to find erroneous assumptions, differing opinions about what needs to be improved, and bias regarding who is responsible for the improvements. An objective third party can help navigate these assumptions, opinions, and biases. Just be aware some vendors will push their own maturity models, because their models require or suggest organizations buy the vendors’ software. While most vendor software is excellent for improving maturity, you want to make sure the model you’re using fits your business objectives and is affordable. Don’t lose sight of that.

How long does it normally take to implement a maturity model?

RG: It depends on a variety of factors and is different for every organization. Keep in mind some maturity levels are fairly easy to reach, while others are harder and more expensive. It goes without saying that well-managed organizations implement maturity models more rapidly than poorly managed organizations.

What should management do after implementation?
RG: Run the maturity model again, and see where the organization currently measures up for each subject area or domain. Do you need to conduct a maturity model assessment every year? No, but you want to make sure you’re tracking the results year over year in order to make sure improvements are occurring. My suggestion is to conduct a maturity model assessment every three years.

One final note: make sure to maintain the effort. If you’re going to spend time and money implementing a maturity model, then make the changes, and continue to reassess maturity levels. Make sure the process becomes part of your organizations’ overall strategic plan. Document and institutionalize maturity modeling. Otherwise, the organization is in danger of losing this knowledge when the people who spearheaded the effort retire or pursue new opportunities elsewhere.

What’s next?
RG: Over the next couple of blogs, we’ll move away from talking about maturity modeling and begin talking about the role capacity plays in cybersecurity. Blog #3 will instruct managers on how to conduct an internal assessment to determine if their organizations have the people, processes, and technologies they need for effective cybersecurity.

Read our next cybersecurity playbook article, Tapping your internal capacity for better results: Cybersecurity playbook for management #3, here.

Article
Selecting and implementing a maturity model: Cybersecurity playbook for management #2

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

You can read our next chapter, Selecting and implementing a maturity model: Cybersecurity playbook for management #2here.

Article
Maturity modeling: Cybersecurity playbook for management #1