Security Program Maturity Models

Return to Security Program Strategy & Operations
Created by the Security Executive Council

Maturity models are a framework that can be used to benchmark processes and procedures against clearly defined best practices.

The Software Engineering Institute (SEI) at Carnegie Mellon University created a maturity model that originally addressed software development but can be applied to other processes. They defined 5 maturity levels:
  1. Initial – Processes unpredictable, poorly controlled and reactive
  2. Managed – Process characterized for projects; often reactive
  3. Defined – Processes characterized for the organization; proactive
  4. Quantitatively managed – Processes measured and controlled
  5. Optimizing – Focus on process improvement

In this security barometer quick poll conducted in 2015, we asked security practitioners to provide a self-assessment of the maturity model level of their programs using the five levels described by the SEI. Below are the results of the poll.

chart of results from security barometer poll on maturity models

When the practitioners were asked a recovery-related question closely aligning with the lowest level of maturity, 27% said they did not achieve it. Perhaps they did not understand the question, but we expected the percentage to be much lower - close to zero. When participants were asked about metrics (a higher level of maturity), 64% said they did not use business value metrics (metrics that are beyond initial "counting" of activities such as number of background checks performed or number of badges issued). We hope to see that change over time.

The Security Executive Council is using the knowledge it has obtained through years of research into organizational structure, culture and security processes, as well as input from its experienced Emeritus Faculty (former security executives) and community of leading practitioners, to identify proven security processes and practices. Contact us if you would like the operational maturity of your security programs assessed against leading practices.

Return to Security Program Strategy & Operations