Trying to understand capabilities in terms of the CMMC by returning to McKinsey's Global Survey
Building organizational capabilities: McKinsey Global Survey results | McKinsey mckinsey.com
In the CMMC Model we often talk about capabiltiies, domains, and practices and processes.
The theoretical model took me a bit to grok as drafts and documents from SEI often referred to capability domains and then we see capabilities as a subset of the domains…
Using a word to define that same word always throws me for a loop
The model framework (Figure 1) organizes these processesand practices into a set of domains and maps them across five levels. In order to provide additional structure, the framework also aligns the practices to a set of capabilitieswithin each domain.
In the above model the practicies are a subset of capabilities but these capabilities are unrelated to the maturation processes and both capabilities and processes make up the 17 domains.
The CMMC Identifies 43 capabalities associated with the 17 Domains in the CMMC.
At the same time I understood the role of capabilities as a tool for increasing process institutionalization.Yet based on the CMMC model the maturation model is not related to capabilities. Practices make up capabilities not processes.
The CMMC model cites two sources when talking capabilities….
Cybersecurity Capability Maturity Model (C2M2), Version 1.1, Department of Energy, Department of Homeland Security, and Carnegie Mellon University Software Engineering Institute, February 2017
Advancing Cybersecurity Capability Measurement Using the CERT-RMM Maturity Indicator Level Scale, Technical Note CMU/SEI-2013-TN-028, M. J. Butkovic and R. A. Caralli, Carnegie Mellon University Software Engineering Institute, November 2013
I am going to search and annotate these sources next but when you hear capability you can not help but think about the McKinsey survey on organizational capabilities.
Just having trouble deciding if the CMMC-AB uses capabilities as a noun or a verb. Feels like both or capabilities means different things in different places. Not sure yet. Why the maturation processes that lead to increased institutionalization do not also improve organizational capabilities in the model is where I struggle.
The processes of the CMMC will increase an organization’s capabilities as much as the practices.
Finally what is the difference between 17 capability domains and the 171 practices that make up the 43 capabilities which when combined with the processes represent the CMMC model?
If we are trying to operationalize and assess the theoretical model laid out in image one I need to understand how these 43 capabilities that pair with the 17 domains across 5 different levels….Sounds like a really tough multidemonsional thing to measure….assessments like single factor solutions…luckily model fit is someone else’s problem.
So in my journey of understanding how “capabilities” get operationalized I start with McKinsey > The online survey was in the field from January 12, 2010, to January 22, 2010, and received responses from 1,440 executives representing the full range of regions, industries, functional specialties, and seniority.
So could just be a buzzword soup study. Every CEO wants to increase capabilities…who who self report wanting their firm to be less capabable? Huge self report bias…can’t find actual method of study.
We defined a capability as anything an organization does well that drives meaningful business results.
It’s notable that the majority of companies don’t focus on a specific priority capability for purely competitive reasons; most often, the reason is that the capability is part of their culture.
Notably, however, the most common reason respondents give for their companies’ focus on the capability identified as most important to business performance is that the skill is a part of their companies’ culture, rather than any competitive reason
So capability in the McKinsey report is about changing organizatonal culture…I know large part of CMMC is about cultural shifts but I am still unsure why the maturation process does not lead to increased organizational capabilities.
only about a quarter think their companies’ training programs are “extremely” or “very effective” in preparing various employee groups to drive business performance or improve the overall performance of their companies
Training is essential. Increasing the instituinalization of cybersecurity will take a cultural shift and a ton of training.
In addition, our experience shows that on-the-job training is most effective when it is reinforced through some sort of formal teaching and feedback loop.
What kind of feedback loops can implentors include to ensure growth along the maturation process?