Security Industry Working Group Launches to Develop Data-Centric Security Framework

PALO ALTO, CA – June 6, 2022 – The Comprehensive Cyber Capabilities Working Group (C3WG) launched today to explore what cybersecurity capabilities are needed to protect the assets of an organization against today’s threats. Data is one of the most important assets and existing models and frameworks for data security are not well developed. The group will define a complete set of data security capabilities, which will be published in the industry-first Data Security Maturity Model (DSMM). 

The working group is led by Sounil Yu, CISO at JupiterOne and author of “The Cyber Defense Matrix.” Other members include:

  • Richard Rushing, CISO, Motorola Mobility
  • John Sullivan, CSO, Boston Scientific
  • Ross Young, CISO, Caterpillar Financial
  • Dan Walsh, CISO, VillageMD
  • Aaron Stanley, former Head of Cybersecurity, Twilio
  • Guillaume Ross, Head of Security, Fleet

The risks to enterprise data are undergoing massive changes. Enterprise data is far more decentralized, shared, and at-risk than ever before due to the megatrends of cloud adoption, hybrid work, and ransomware. Enterprises have a need and opportunity to rethink their approach to data security and transform their security operations to protect what matters most. The DSMM will be a framework for security leaders to evaluate their data security program, establish a common language with all constituents, and prioritize their roadmap to align with the unique needs of their organization. 

The initiative was started by Howard Ting, CEO at Cyberhaven, who recognized the limits of existing security models and the need for a data-centric perspective. “Many security frameworks indirectly cover aspects of data security, but in the narrowly-defined context of the devices, applications, or the networks where data resides,” said Howard Ting. “The Data Security Maturity Model is a mission-driven community effort to focus on the data itself, wherever it flows within an organization, and how to protect it from internal or external threats.” 

“When you compare the different frameworks and maturity models that exist in security today, you can see gaps where a capability exists for one asset class but not another,” said Sounil Yu, chairperson of C3WG. “Our goal is to identify and fill in the gaps in existing frameworks and define a comprehensive set of capabilities needed to secure and defend the full range of cyber assets in an organization, starting with data.” 

The Data Security Maturity Model (DSMM) will align to the NIST Cybersecurity Framework and the Cyber Defense Matrix. It will give security leaders a comprehensive list of capabilities needed to secure data across five key functions:

  • Identify & Classify: Find and classify all data covered by the data security program.
  • Protect: Minimize the exposure of sensitive data by controlling how it is accessed, used, and retained.
  • Detect: Collect and analyze data risk to identify data-related security events or policy violations that were not stopped by the “Protect” function.
  • Respond: Establish immediate, short-term actions to be taken upon detection of a potential incident.
  • Recover & Improve: Determine actions needed to not only restore normal operations (as they pertain specifically to data), but also to build back stronger. 

The ability to protect any type of data across devices, applications, and cloud assets is essential if organizations are to take advantage of the power of modern collaboration and digital transformation without exposing their data to external threats, insider threats, or simple mistakes by well-intentioned users. The DSMM’s data-centric approach to security will help organizations protect their critical data assets, ensuring that risk context and policy enforcement follow the data no matter how it moves or is modified. 

To learn more about the working group or to participate, visit

About the Comprehensive Cyber Capabilities Working Group (C3WG)

C3WG is working to define for the cybersecurity community a comprehensive list of capabilities needed to secure and defend the full range of cyber assets within an organization. Comprised of security leaders from across industries, the group has deep expertise in the people, process, and technology used to solve security challenges. To learn more, follow C3WG on Twitter and LinkedIn, or visit

About Cyberhaven

Cyberhaven is The Data Security Company. With the industry’s first Data Detection and Response (DDR) platform, Cyberhaven protects intellectual property and sensitive data from theft and mis-use by mapping the full journey of every piece of data to accurately classify sensitive data, detect risk, and proactively enforce policy for any organization that believes data is a key differentiator in their business. For more about Cyberhaven, visit or follow the latest updates on Twitter and LinkedIn.