Corporate Security Maturity Assessment Peer Comparison
Created by the Security Executive Council
The SEC’s Corporate Security Maturity AssessmentCommon maturity frameworks strive to classify programs into categories or levels. Each level builds on the last. For example, to be classified at level "2" the program being assessed must exceed all the requirements that define level "1".
Different frameworks may use a differing number of maturity levels as well as nomenclature, but most follow the pattern set up by the original software based CMM. For this initial assessment work, the SEC chose to simplify the framework using four levels:
Informal => Managed => Measured and Effective => Optimized
To progress to higher levels of maturity a security program must engage processes that are repeatable and not dependent on a single point of failure (documented and managed); they must measure results to ensure that they are meeting objectives and facilitating improvement (measured and optimized).
The programs/services selected for the initial assessments were ones common to many security organizations:
The SEC developed assessment questions to cover five initial domains of a security program:
Questions were developed for each of the domains specifically to draw out the significant factors identifying each of the levels of maturity. In this way the length of time required to complete the assessment was kept to a minimum.
Excerpt of ComparisonsFor the five programs offered, over 280 maturity assessments were completed. Most of the participants reported annual revenues exceeding $1 billion, spanning a multitude of industries.
The average maturity assessment score was 2.4 (the possible score ranged from 1 to 4).
Assessment Scores by Security Programs:
All Programs Combined by DomainsAverage Score: 2.4 out of 4
To ParticipateEach maturity survey is a self-assessment tool and not an audit. It can be used to close gaps to achieve the desired maturity level. It can also be used as a team exercise to check where team members think the security organization is related to maturity (note – in early testing often scores varied amongst team members).
Visit this page to assess any of the five initial programs in your organization. If you choose to provide your contact information when taking the assessments you will be eligible to receive the full report.
Data collected in these assessments will be kept confidential and will not be shared with third parties. If research based on this information is published it will only be done in an aggregate form that preserves the privacy of the participants and the organizations they represent.
Click here for more information on Capability Maturity Models for corporate security.
For more information on other similar emerging issues see Security Program Strategy & Operations: Emerging Issues
Contact us to discuss how the SEC can help you apply your maturity assessment.
Watch our 3-minute video to learn about how the SEC works with security leaders.
Copyright Security Executive Council. Last Updated: October 25, 2018
Download a PDF of the information provided on this page below: