Over the last week a couple folks asked about ways to measure the maturity of their security program. Yes, my first thought was duh, most of us security folks are somewhere between Mad Magazine and Benny Hill... Since that joke's outta the way, I'm talking about understanding your current state of effectiveness vs. desired state. No, I don't believe you can be effective while operating at an ad hoc level, eventually you'll burn out or get distracted and go fix something else audit identified.
I've had big N consultants provide program assessments and the results were a nice external validation of what we already knew. However I've never managed maturity at a program level over a sustained period. I've done this informally with individual teams and it was very effective. Can it be effective at the program level?
I say, Yes, as long as the focus is on the following goals:
Fortunately COBIT's use of CMMI provides a great way to assess and summarize results across many areas. Nothing beats a spider chart of 0-5 maturity across your services. However the real value is capturing the evidence to justify the rating. No fancy math needed, just real evidence provided by accountable owners (sounds familiar). There are many ways to organize a maturity assessment e.g. ISO 27k, but this post is asking about the value of the exercise. If there's demand, I'm happy to write about conducting maturity assessments.
Is there value in an annual review looking at the following across your services:
personnel capacity, training, and skill set
updated policies and procedures
process defined with a RACI and swimlane
communication defined and effective
deficiencies captured and improved
technology aligned and used effectively
At first glance this seems like crazy overhead and it can be if it's not kept simple. If there was a way to easily capture a score, record evidence, and produce a report, would you find it valuable?