Security Maturity Surety: Part 1

Don’t wait for a security breach to improve cybersecurity maturity. Take action now.

A mature security program is more than aligning controls with an operational framework, such as NIST Special Publication 800-53 or ISO 27001 and 27002. Mature security programs go beyond reactive or check-the-box approaches and require regular maturity assessments to drive and measure long-term improvements in governance, compliance, risk management, and overall security culture.

Selecting a maturity model doesn’t have to be a daunting task. Generally, models are process-oriented and relatively uncomplicated, compared to control-based frameworks that have multiple levels of controls and sub-controls within each domain. Regardless, the model you choose should be affordable, understandable by staff, and suited to your industry.


Security Maturity Models

Leading maturity models include:

  • The U.S. National Institute of Standards and Technology’s Program Review for Information Security Assistance (NIST PRISMA)
  • The Forrester Information Security Maturity Model
  • Gartner’s ITScore for Information Security
  • The Cybersecurity Capability Maturity Model (C2M2)
  • Control Objectives for Information Technology (COBIT), a governance framework that can also assess maturation
  • The NIST Cybersecurity Framework (CSF), an unofficial maturity model due to its wide applicability

Maturity models break down maturation into tiers based on the strength and preparedness of the security program. At the lowest level of maturity, policies, processes, and procedures are unorganized, unstructured, and undocumented. Comparatively, at the highest level, the program facilitates continuous assessment, monitoring, and improvement of IT processes; policies and procedures are documented, communicated, enforced, and adhered to; and there is a strong organizational security culture.

Remember that not every program will, or needs to, reach the highest maturity tier. Differences in organizational size, structure, budget, and prioritization of various IT processes will help determine the ideal maturity level for the organization as a whole and the target maturity levels for specific process domains.

Undoubtedly, aligning with a model helps organizations remove passive approaches to information security and set a sturdy foundation that enables continuous improvement. The first step is finding the one that best suits the organization and its current and future goals.

For more information on security maturity, read on to Security Maturity Surety: Part 2 in this series or download our white paper on Managing Cybersecurity Maturity.