Leadership Solutions

Security Barometer Results: Security Program Maturity Models

Maturity models are a framework that can be used to benchmark processes and procedures against clearly defined best practices.

The Software Engineering Institute (SEI) at Carnegie Mellon University created a maturity model that originally addressed software development but can be applied to other processes. They defined 5 maturity levels:

  1. Initial – Processes unpredictable, poorly controlled and reactive
  2. Managed – Process characterized for projects and is often reactive
  3. Defined – Processes characterized for the organization and is proactive
  4. Quantitatively managed – Processes measured and controlled
  5. Optimizing – Focus on process improvement


In this security barometer quick poll we asked security practitioners to provide a self-assessment of the maturity model level of their programs using the five levels described by the SEI. Below are the results of the poll.

chart of results from security barometer poll on maturity models

Surprising to us, when the practitioners were asked a recovery-related question closely aligning with the lowest level of maturity, 27% said they did not achieve it. Perhaps they did not understand the question, but we expected the percentage to be much lower - close to zero. When participants were asked about metrics (a higher level of maturity), 64% said they did not use business value metrics (metrics that are beyond initial "counting" of activities such as number of background checks performed or number of badges issued). We hope to see that change over time.

The Security Executive Council is using the knowledge it has obtained through years of research into organizational structure, culture and security processes as well as input from its experienced Emeritus Faculty (former security executives) and community of leading practitioners to identify proven security processes and practices. Contact us if you would like the operational maturity of your security programs assessed against leading practices.

We will be exploring security and risk management capability maturity models more in-depth on this site and in future newsletters. Subscribe to the SEC Insight Newsletter to be kept up-to-date on leading security and risk management practices.