Security Barometer Results: Security Program Maturity Models
Maturity models are a framework that can be used to benchmark processes and procedures against clearly defined best practices.
In this security barometer quick poll we asked security practitioners to provide a self-assessment of the maturity model level of their programs using the five levels described by the SEI. Below are the results of the poll.
Surprising to us, when the practitioners were asked a recovery-related question closely aligning with the lowest level of maturity, 27% said they did not achieve it. Perhaps they did not understand the question, but we expected the percentage to be much lower - close to zero. When participants were asked about metrics (a higher level of maturity), 64% said they did not use business value metrics (metrics that are beyond initial "counting" of activities such as number of background checks performed or number of badges issued). We hope to see that change over time.
The Security Executive Council is using the knowledge it has obtained through years of research into organizational structure, culture and security processes as well as input from its experienced Emeritus Faculty (former security executives) and community of leading practitioners to identify proven security processes and practices. Contact us if you would like the operational maturity of your security programs assessed against leading practices.
We will be exploring security and risk management capability maturity models more in-depth on this site and in future newsletters. Subscribe to the SEC Insight Newsletter to be kept up-to-date on leading security and risk management practices.