By: Christoffer Brown, SecureTrust Product Manager
A security maturity model is a framework for measuring – you guessed it – the maturity of a security program. A maturity model helps assess the current operational effectiveness of key processes relative to peers and desired maturity goals for entities to understand what capabilities are needed to improve.
The SecureTrust Security Maturity levels are:
0) INCOMPLETE: Ad hoc or unknown process.
1) INITIAL: Initial approach to carrying out a process is unpredictable and poorly controlled.
2) REPEATABLE: A repeatable process is planned and controlled but is often still reactive.
3) DEFINED: Proactive rather than reactive, defined processes are documented and standardized.
4) MANAGED: Processes are quantitatively managed to improve toward performance objectives.
5) OPTIMIZED: Processes are continuously improved to respond to opportunity and change.
PCI DSS Compliance is a must. And, security maturity should be the next step after compliance has been achieved. Most organizations recognize compliance is a must and only those wearing tin foil hats disagree. The most mature organizations understand the importance of compliance, but they also know it’s not enough. It’s no secret that the Payment Card Industry Data Security Standard (PCI DSS) is a low bar. The PCI DSS itself acknowledges it’s only a “minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks.” You must determine which, if any, additional controls and practices should be in place [to further mitigate risk] and determine the best course of action to optimize your compliance and security investment.
Adopt a lingua franca and work on shared goals. Management can have a hard time setting and communicating expectations. When expectations aren’t set, aren’t communicated or when expectations change, staff won’t know what level of performance is enough. Alternatively, if managers and staff understand their role, are using the same yard stick and speaking the same language, it becomes that much easier to focus, making your team more likely to achieve success. [Maturity modeling allows you and your staff to stay on the same page and maintain the plan to reach the next stretch goal.]
Measure, benchmark and periodically assess. Yes, part of any honest assessment is pointing out things that are broken. But, identifying gaps is not the end goal of a maturity assessment. Rather, the purpose is to create organizational awareness of common goals and to increase performance and growth. And, that starts with the reality of where your organization is today, periodically adjusting and maturing.
Improve toward defined objectives. Breaches are often what forces a bump up in the maturity scale. The better alternative is management support for an honest exploration of security maturity objectives to set the bar high enough before a breach happens. Benchmarking is useful to communicate with upper management for support. The genuine objective is to persuade leadership and individuals that can help shift the culture to make security a priority.
For more information, download a copy of the 2019 SecureTrust Global Compliance Intelligence Report.