Leadership Solutions

Security Barometer Results: Security Program Maturity Models

Created by the Security Executive Council

Maturity models are a framework that can be used to benchmark processes and procedures against clearly defined best practices.

The Software Engineering Institute (SEI) at Carnegie Mellon University created a maturity model that originally addressed software development but can be applied to other processes. They defined 5 maturity levels:

  1. Initial – Processes unpredictable, poorly controlled and reactive
  2. Managed – Process characterized for projects; often reactive
  3. Defined – Processes characterized for the organization; proactive
  4. Quantitatively managed – Processes measured and controlled
  5. Optimizing – Focus on process improvement

In this security barometer quick poll conducted in 2015, we asked security practitioners to provide a self-assessment of the maturity model level of their programs using the five levels described by the SEI. Below are the results of the poll.

chart of results from security barometer poll on maturity models

When the practitioners were asked a recovery-related question closely aligning with the lowest level of maturity, 27% said they did not achieve it. Perhaps they did not understand the question, but we expected the percentage to be much lower - close to zero. When participants were asked about metrics (a higher level of maturity), 64% said they did not use business value metrics (metrics that are beyond initial "counting" of activities such as number of background checks performed or number of badges issued). We hope to see that change over time.

The Security Executive Council is using the knowledge it has obtained through years of research into organizational structure, culture and security processes, as well as input from its experienced Emeritus Faculty (former security executives) and community of leading practitioners, to identify proven security processes and practices. Contact us if you would like the operational maturity of your security programs assessed against leading practices.

For more information on this topic see Security Program Strategy & Operations: Strategic Planning/Management

Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.

Copyright Security Executive Council. Last Updated: August 23, 2018

You can download a PDF of this resource below.

Sec_Barometer_Maturity.pdf
Click to download PDF file
178KB