April 30, 2015

April 10, 2015

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Does measuring your security maturity matter?

October 22, 2010

Over the last week a couple folks asked about ways to measure the maturity of their security program. Yes, my first thought was duh, most of us security folks are somewhere between Mad Magazine and Benny Hill... Since that joke's outta the way, I'm talking about understanding your current state of effectiveness vs. desired state. No, I don't believe you can be effective while operating at an ad hoc level, eventually you'll burn out or get distracted and go fix something else audit identified.


I've had big N consultants provide program assessments and the results were a nice external validation of what we already knew. However I've never managed maturity at a program level over a sustained period. I've done this informally with individual teams and it was very effective. Can it be effective at the program level?

I say, Yes, as long as the focus is on the following goals:

  • highlight areas of optimal maturity to demonstrate value to the business

  • use areas of suboptimal maturity to prioritize investments

Fortunately COBIT's use of CMMI provides a great way to assess and summarize results across many areas. Nothing beats a spider chart of 0-5 maturity across your services. However the real value is capturing the evidence to justify the rating. No fancy math needed, just real evidence provided by accountable owners (sounds familiar). There are many ways to organize a maturity assessment e.g. ISO 27k, but this post is asking about the value of the exercise. If there's demand, I'm happy to write about conducting maturity assessments.

Is there value in an annual review looking at the following across your services:

  • personnel capacity, training, and skill set

  • relevant metrics

  • updated policies and procedures

  • process defined with a RACI and swimlane

  • communication defined and effective

  • deficiencies captured and improved

  • technology aligned and used effectively

  • etc.

At first glance this seems like crazy overhead and it can be if it's not kept simple. If there was a way to easily capture a score, record evidence, and produce a report, would you find it valuable?

Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags