Security Maturity Surety: Part 1



A mature security program is more than aligning your organization’s controls with an operational framework, such as NIST Special Publication 800-53 or ISO 27001 and 27002 — or, worse, waiting for a cyber attack or data breach to take action. Mature security programs go beyond reactive or check-the-box approaches. In fact, a truly mature security program employs regular maturity assessments to drive and measure long-term improvements in governance, compliance, risk management, and the enterprise-wide security culture.

While there are many maturity models to choose from, selecting one doesn’t need to be a daunting task. Most models are prescriptive, process-oriented and relatively uncomplicated, as compared with control-based frameworks that have multiple levels of controls and sub-controls within each domain. The model you choose should be the one that’s affordable, understood by all key stakeholders, and well-suited to your industry. The leading maturity models include:

  • The United States National Institute of Standards and Technology’s Program Review for Information Security Assistance (NIST PRISMA)
  • The Forrester Information Security Maturity Model
  • Gartner’s ITScore for Information Security
  • The Cybersecurity Capability Maturity Model (C2M2)
  • Control Objectives for Information Technology (COBIT), a security governance framework that can also be used to assess maturity


Maturity models typically break maturity down into tiers assigned based on the strength and preparedness of the security program. At the lowest level of maturity, security programs, policies and procedures are unorganized, unstructured, and undocumented. At the highest level, the security program facilitates continuous assessment, monitoring and improvement of IT processes. Policies and procedures are documented, communicated, enforced and adhered to by all, and there is a strong security culture throughout the organization.

It’s important to remember that not every program will, or needs to, reach the highest maturity tier. Differences in organizational size and structure, budget, and the relative importance of various IT processes will help determine the ideal maturity level for the organization as a whole, and the target maturity levels for specific process domains. The goal for all entities, however, is to remove passive approaches to information security and set a sturdy foundation that allows for continuous improvement.

For more information on security program maturity, read our whitepaper on Managing Cyber Security Maturity.