Can You Really Measure the Maturity of Your Information Security Program?

By Mark Carney ·

This question is not an easy one to answer. FishNet Security has been researching and reviewing several different approaches. Each of these information security program maturity methodologies can be leveraged to provide a foundation that helps build and develop an information security program — or best practices framework — to continually evaluate one’s existing information security program.
Each of these methodologies are comprised of a set of core elements or programs that an information security program should consist of, as well as mechanisms on setting a strategic roadmap and a direction to those programs that are highly valued and a top priority to the organization’s security key stakeholders completing the maturity evaluation. All of these information security maturity models provide a method to empower CISOs for ongoing management of a security program as well.
The set of core elements or programs defined within each information security maturity model references back to a pillar or domain within one or more common security frameworks, such as ISO27001, NIST or CoBIT. The programs outlined within the maturity frameworks usually consist of a mixture of GRC, Risk and Operational-related programs. All of the information security program maturity models that FishNet Security has reviewed have several common traits: 

  • Objective
  • Prescriptive
  • Modular
  • Simple to Understand
  • Leverage CMMI to Score Maturity Levels
  • Strategy and Direction-setting Oriented

The maturity of each of these elements or programs is evaluated through a variety of due diligence methods, such as documentation review, interviews, observation and/or round table/workshop discussions. The due diligence evaluation is completed through best practices and/or comparing one’s program against commonly seen characteristics of mature programs. The information security program maturity due diligence does not include control-level evaluation experienced within a compliance-based gap analysis review engagement. The maturity models reviewed by FishNet Security vary in how they organize its model. Some maturity models consist of programs and pillars, while others have domains, functions and components.
Who provides this type of consulting engagement?

  • Information Security Solution Providers (ISSPs)
  • Large Public Accounting Firms
  • Security Software Manufacturers

In conclusion, FishNet Security believes that this type of service can be extremely valuable for organizations to complete in helping provide direction, priority and an independent perspective on an information security program’s maturity level.