Mapping the path toward information security program maturity

As information security professionals, most of us go in to work everyday asking more or less the same fundamental question: "How can we do more with less?" If our environment is like most, workloads are up and budgets are down; we'd like to optimize the information security program for efficiency, but the never-ending barrage of

    Requires Free Membership to View

worms, spyware, and vulnerabilities keep us thinking reactively rather than strategically. After all, investments in efficiency require time, manpower and dollars, and all of those are difficult to come by.

The challenge then is finding a way off the treadmill; in other words, finding a way to steadily increase the overall organizational efficiency while keeping the impact on day-to-day operations low. One strategy that almost every organization can use as a first step is to create a map of the overall information security program's process maturity and use that map to guide future investments. Such a map allows managers to understand the current state of the information security program, isolate areas of inefficiency, and hopefully reduce those inefficiencies over time.

Creating the maturity map

To create a rudimentary maturity map, first select a standardized framework for understanding process maturity and apply it to the security practice as a whole. Selecting a standardized framework is advantageous because much of the work has already been done. For example, definitions of process maturity have already been defined and precise guidelines for assessment of processes has already been documented.

There are quite a few published maturity frameworks to choose from as a starting point:

  • OPM3 - Organizational Project Management Maturity Model
  • CMMI - Capability Maturity Model Integration
  • COBIT - Control Objectives for Information Related Technology
  • SSE-CMM - Systems Security Engineering Capability Maturity Model

    More information

    In our SOX Security School, study up on security standards and learn how to build a compliance framework.

    Know the differences between ISO/IEC 17799 and COBIT.

    All of these frameworks offer not only a multi-tiered model with specific models for assessing process maturity, but also facilitate self-assessment and/or contracted external assessment. An organization should select a methodology that it is comfortable with -- potentially one that's being used in other areas of the firm -- and begin to categorize and quantify how functions within the information security program stack up.

    A question to ask before selecting a framework is whether an organization is most interested in the engineering aspects of information security or if they are interested in the overall program maturity. Organizations wishing to concentrate on the engineering aspects of information security may find it beneficial to select the SSE-CMM as a benchmark, as it was created with security in mind and is already tailored for use by security organizations. Other organizations seeking to analyze their programs more generally, however, will need to supply a second piece of the puzzle, as the more general process models were not developed specifically for security organizations. To fill in the missing piece, we'll need to determine what elements of a comprehensive information security program are in-scope for evaluation and analyze them according to the maturity model selected. To do that, use a comprehensive information security-specific framework, such as International Organization for Standardization (ISO) 17799 or National Institute of Standards and Technology (NIST) special publication 800-52, to select and categorize areas of concentration (the processes) to be evaluated. As with the maturity frameworks, using a standard approach minimizes the documentation effort as each criteria in scope is already fully documented.

    From map to milestones

    Having a map is only the first step; after all, there's more involved in navigating to a destination than just having directions how to get there.

    The next step would be to use that information to actually guide where investments are made. We'll need to look at more than just the maturity of a given process to do that, because not every area covered will be of the same level of import for our business -- some areas might be more important or more easily optimized than others).

    However, starting with a basic understanding of information security program maturity gives an organization an advantage in decision-making. It gains insight about where to invest, how quickly to invest and what cost/resource impact an investment will have.

    About the author
    Ed Moyle is a veteran of the information security industry. As a manager with CTG, he provides practical guidance and advice to clients worldwide. Ed has held numerous key roles in information security, including VP/ISO for Merrill Lynch and lead developer for biometrics firm ICT. Ed is co-author of Cryptographic Libraries for Developers, a practical resource for developers.

This was first published in January 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.