Eric Vanderburg

As an organization becomes more conscious and engaged in protecting information, it progresses along a path of security maturity. I like to describe this path in five stages starting with ad hoc and ending with leading organizations (see the figure below). This model is helpful because it demonstrates how security is refined in an organization. Most importantly, it shows that security maturity takes time to be part of an established organization and how an organization can transform from viewing security as a cost to an investment. Let’s see how it works.

In the beginning, security incidents are handled as they are discovered. Incidents may be identified in-house but, more often, customers, partners, vendors, or external compliance bodies inform the company of the incident. Teams race to solve the issue and restore operations to normal. Those who acted are the heroes, and once the incident has passed, business goes back to normal…until the next incident. We call this stage “Ad Hoc,” a Latin phrase meaning “for this,” since incidents are each handled on their own merit without following a standard or procedure. This requires team members to figure out a solution each time without the advantage of prior thought on the issue, leading to inconsistent performance and a higher cost per incident to the organization.

When the discomfort of this situation is too great, companies begin to develop policies and procedures, terming this stage “Developing.” Policies establish high-level expectations while procedures document specific actions that are designed to implement the policies. Organizations at the developing stage often have a limited number of policies or the elements of the policies are contained in other documents such as employee handbooks. The procedures documented at this stage cover the tasks encountered most often, but polices and procedures are far from complete. Also, employees may not be fully aware of the policies and procedures and, if they are aware, they do not always follow them, partially because the roles related to some procedures may not be well-defined.

The developing stage of security maturity is followed by the practicing stage. Many organizations fall into the developing or practicing stages. In the practicing stage, policies and procedures have had time to percolate through the organization and most, if not all, employees are aware of the policies impacting them and the procedures required to perform their job role. Procedures are mapped to roles and employees are held accountable for performing their role. Employees follow the procedures the majority of the time and are sanctioned when procedures are not followed. Organizational culture changes at this stage too. The previous stages were primarily concerned with responding to incidents but here, the organization begins to take a more risk-based approach to security. Controls are defined to bring risks within the organizational tolerance level which transitions effort from response to planning and implementing controls.

As risk management and controls are refined, the organization enters into the optimizing stage. Here, controls are measured using defined metrics to ensure that they are bringing risks to an acceptable level. Plans such as incident response or business continuity are tested, giving employees a chance to practice the procedures in their role. This increases efficiency and effectiveness in implementation and can identify improvements. The focus shifts from documenting what will be done to how well the plan was implemented, with an eye to how the organization can improve after each exercise or incident. Independent teams, often third parties, audit controls against best practices and compliance requirements.

The last stage of security maturity is called “leading” and it is achieved in a small set of companies. This level of maturity is seen most often in companies that model security behavior for others and those whose core competencies lie in protecting information. These organizations have learned a great deal from their experiences and have well-crafted policies and procedures along with teams that implement procedures effectively. Their effectiveness is tracked and reported on with precise metrics that senior management use to evaluate success. Security controls are implemented early in the process and technology life-cycle that they are seamless to the process and accepted with minimal or no resistance from employees. Rather than implementing best practices, the leading organization establishes them.

Consider this maturity model in the context of determining your upcoming security strategy. The New Year is not far away, and many organizations will be putting together annual and quarterly plans. Think about where your organization is right now and where you want to be. Then perform an assessment to determine the steps to take to get you there and make it part of your strategy.