TOP

In business development, a maturity model is a common way to distinguish the capabilities and needs of different companies. The maturity of your security provides a context which, in turn, helps when determining your needs.

Capability Maturity Modeling

Capability maturity modelling, or CMM, is a process which helps to measure the general effectivity, and efficacy, of programs and processes. “Maturity” in this case, relates to the programs and processes in terms of security.

A security maturity model contains a set of characteristics, or indicators, that represent capability within an organisation’s security program.

Maturity modelling, based on CMM, focuses on creating processes that are thorough, repeatable, and have the potential to improve. CMM works to automate, where possible, to make the processes an effective part of an organisation’s overall operational infrastructure.

Utilising CMM can help an organisation identify the areas for potential improvement, for example, processes that are reactive to security threat, can be modified to apply a proactive approach and implement measurable improvements.

Security Maturity Model 1

Aspects of a Security Maturity Model

A capability security maturity model defines five distinct maturity levels. Each of these levels indicates that an organisation is at a certain level of optimisation for their security processes.

As an organisation progresses from one level to the next, their processes will move from unorganised and unstructured to a level where their data processes run smoothly and are continuously optimized.

There are key process areas (KPAs) that characterize each level of the maturity model. KPAs are a cluster of related practices that, when they are implemented together, satisfy goals that are set to improve a given area of the program.

The following KPAs are what organizations should keep in mind at each level of the maturity model:

  • The commitment to perform,
  • The ability to perform
  • The activities performed
  • Measurement and analysis of the results
  • Verifying the implementation of processes

Level 1: Initial

At this level, there are no security practises in place. Processes are ad hoc and informal. Security is reactive and not repeatable, measurable, or scalable.

Level 1: Initial

At this level, there are no security practises in place. Processes are ad hoc and informal. Security is reactive and not repeatable, measurable, or scalable.

Level 1: Initial

At this level, there are no security practises in place. Processes are ad hoc and informal. Security is reactive and not repeatable, measurable, or scalable.

Level 1: Initial

At this level, there are no security practises in place. Processes are ad hoc and informal. Security is reactive and not repeatable, measurable, or scalable.

Level 1: Initial

At this level, there are no security practises in place. Processes are ad hoc and informal. Security is reactive and not repeatable, measurable, or scalable.

The above KPAs should be considered within each of the following maturity model levels:

Level 1: Initial

At this level, there are no security practises in place. Processes are ad hoc and informal. Security is reactive and not repeatable, measurable, or scalable.

Level 2: Repeatable 

At this stage of maturity, there is growing awareness of the need for security. Although there are some procedures in place, they are relatively unjustified from a business perspective.

Level 3: Defined 

Within this phase, processes are defined, standardised and formalised. This helps create consistency across the organisation, allowing measurement and quantification from a security viewpoint.

Level 4: Managed 

At this stage, the organisation begins to refine and adapt their security practises to make them more effective and efficient, based on the information received from their programme.

Level 5: Optimizing 

An organisation operating at this level, has processes that are automated, formalised, and constantly analysed for optimisation. Security is an integral part of the business culture, delivering clear business value.

Optimised security does not mean that an organisations maturity has reached its maximum potential, however. It provides the confirmation that the business is constantly adapting and evolving, ensuring improvement and progression.

Security Maturity Level Model Level

Discover your Security Maturity Level

In 6 steps you’ll get a first indication of the security maturity level of your organisation. Start the scan now and download the full report.

Start Scan