As information security professionals, most of us go in to work everyday asking more or less the same fundamental question: "How can we do more with less?" If our environment is like most, workloads are up and budgets are down; we'd like to optimize the information security program for efficiency, but the never-ending barrage of worms, spyware, and vulnerabilities keep us thinking reactively rather than strategically. After all, investments in efficiency require time, manpower and dollars, and all of those are difficult to come by.
The challenge then is finding a way off the treadmill; in other words, finding a way to steadily increase the overall organizational efficiency while keeping the impact on day-to-day operations low. One strategy that almost every organization can use as a first step is to create a map of the overall information security program's process maturity and use that map to guide future investments. Such a map allows managers to understand the current state of the information security program, isolate areas of inefficiency, and hopefully reduce those inefficiencies over time.
Creating the maturity map
To create a rudimentary maturity map, first select a standardized framework for understanding process maturity and apply it to the security practice as a whole. Selecting a standardized framework is advantageous because much of the work has already been done. For example, definitions of process maturity have already been defined and precise guidelines for assessment of processes has already been documented.
There are quite a few published maturity frameworks to choose from as a starting point:
- OPM3 - Organizational Project Management Maturity Model
- CMMI - Capability Maturity Model Integration
- COBIT - Control Objectives for Information Related Technology
SSE-CMM - Systems Security Engineering Capability Maturity Model
In our SOX Security School, study up on security standards and learn how to build a compliance framework.
Know the differences between ISO/IEC 17799 and COBIT.
All of these frameworks offer not only a multi-tiered model with specific models for assessing process maturity, but also facilitate self-assessment and/or contracted external assessment. An organization should select a methodology that it is comfortable with -- potentially one that's being used in other areas of the firm -- and begin to categorize and quantify how functions within the information security program stack up.
A question to ask before selecting a framework is whether an organization is most interested in the engineering aspects of information security or if they are interested in the overall program maturity. Organizations wishing to concentrate on the engineering aspects of information security may find it beneficial to select the SSE-CMM as a benchmark, as it was created with security in mind and is already tailored for use by security organizations. Other organizations seeking to analyze their programs more generally, however, will need to supply a second piece of the puzzle, as the more general process models were not developed specifically for security organizations. To fill in the missing piece, we'll need to determine what elements of a comprehensive information security program are in-scope for evaluation and analyze them according to the maturity model selected. To do that, use a comprehensive information security-specific framework, such as International Organization for Standardization (ISO) 17799 or National Institute of Standards and Technology (NIST) special publication 800-52, to select and categorize areas of concentration (the processes) to be evaluated. As with the maturity frameworks, using a standard approach minimizes the documentation effort as each criteria in scope is already fully documented.
From map to milestones
Having a map is only the first step; after all, there's more involved in navigating to a destination than just having directions how to get there.
The next step would be to use that information to actually guide where investments are made. We'll need to look at more than just the maturity of a given process to do that, because not every area covered will be of the same level of import for our business -- some areas might be more important or more easily optimized than others).
However, starting with a basic understanding of information security program maturity gives an organization an advantage in decision-making. It gains insight about where to invest, how quickly to invest and what cost/resource impact an investment will have.
About the author
Ed Moyle is a veteran of the information security industry. As a manager with CTG, he provides practical guidance and advice to clients worldwide. Ed has held numerous key roles in information security, including VP/ISO for Merrill Lynch and lead developer for biometrics firm ICT. Ed is co-author of Cryptographic Libraries for Developers, a practical resource for developers.