Security Practitioner Working Group Publishes Industry-First Data Security Maturity Model (DSMM) In Advance of Presentation at RSA Conference

Palo Alto, Calif., February 23, 2023—The Comprehensive Cyber Capabilities Working Group (C3WG) today unveiled a first-of-its-kind Data Security Maturity Model (DSMM). The C3 Working Group is comprised of over a dozen security practitioners across industries working to define what cybersecurity capabilities are needed to protect against today’s threats. The DSMM is the first security model to directly focus on data, rather than indirectly covering it in the narrowly-defined context of the devices, applications, or networks where data resides.

“Data has never been treated as a first-class citizen in security frameworks,” said Aaron Stanley, VP of Security at dbt Labs and former Global Head of Cybersecurity at Twilio. “Instead of shoehorning data and privacy into an existing security framework, we are flipping the script and mapping data concepts to the security controls applied to other asset classes.”

Such an approach is a growing priority for security leaders as enterprise data has become incredibly dynamic in terms of how it is used and where it resides. No longer sequestered in databases, today’s data is constantly being used, modified, and shared by users as it moves between devices, traditional and SaaS applications, and cloud services. A data-centric approach to security ensures that risk context and policy enforcement can be applied to any data and can follow the data wherever it moves or however it is modified.

The initiative started in 2021 with Howard Ting, CEO of Cyberhaven, who assembled the working group. “The way data flows within modern organizations between devices, networks, applications, and people made it clear that existing security frameworks were inadequate,” said Ting. “I brought together a group of like-minded security practitioners who feel passionately as I do that a data-centric perspective is needed. The Data Security Maturity Model is the result of that mission-driven community effort.”

The C3 Working Group is led by Sounil Yu, CISO and Head of Research at JupiterOne. Other members include:

  • Aaron Stanley, VP of Security, dbt Labs
  • Arkadiy Goykhberg, CISO, Branch
  • Brian Markham, CISO, EAB
  • Chris Hodson, CSO, Cyberhaven
  • Dan Walsh, CISO, VillageMD
  • Guillaume Ross, Deputy CISO, JupiterOne
  • John Sullivan, CSO, Boston Scientific
  • Kevin Paige, CISO, Flexport
  • Louis Holt, CEO, ESPROFILER
  • Merike Kaeo, former CISO, Uniphore
  • Richard Rushing, CISO, Motorola Mobility
  • Ross Young, CISO, Caterpillar Financial

“Data essentially underpins all other security domains,” said Sounil Yu, CISO and Head of Research of JupiterOne. “The C3 Working Group is applying the Cyber Defense Matrix to enumerate security controls across other asset classes (devices, applications, networks, users), evaluating their applicability to the domain of data security. Our ultimate goal is to extend this approach to identifying and filling in the gaps in existing frameworks and define a comprehensive set of capabilities needed to secure and defend the full range of cyber assets.”

The DSMM aligns to the structure of the NIST Cybersecurity Framework, providing a 1-3 level of maturity across the 5 functions of a data security program:

  • Identify and classify
  • Protect
  • Detect
  • Respond
  • Recover and improve

Following the publication of the initial version today, the group will continue developing the model and present an expanded version at the RSA Conference in April. “Today’s release of DSMM v1.0 isn’t the conclusion of our work, it’s really just the beginning,” said Chris Hodson, CSO of Cyberhaven. “We plan to open source the model and build a global community of contributors to develop actionable standards and guidelines as we evolve DSMM into the de facto framework for data protection in the modern enterprise.”

About the Comprehensive Cyber Capabilities Working Group (C3WG)
C3WG is working to define for the cybersecurity community a comprehensive list of capabilities needed to secure and defend the full range of cyber assets within an organization. Comprised of security leaders from across industries, the group has deep expertise in the people, process, and technology used to solve security challenges. To learn more, visit

About Cyberhaven
Cyberhaven is the data security company revolutionizing how companies protect their most important information from theft and misuse. Until now, security products only recognized and protected a limited range of data types because they relied on finding patterns in the content itself. Our data tracing technology analyzes billions of events surrounding every piece of data to better understand and classify it, allowing for protection of a much broader range of sensitive data in any form, anywhere it goes. For more information, please visit