Time to measure your security maturity

Most CISOs think they have a handle on how secure their organization is, pointing with pride to the latest (fill in the blank) system that’s just been installed.

But another way to measure what’s going on is to look at the organization’s security maturity — or, as author Brian Krebs put it in a post Monday, does it make cybersecurity a part of the culture or just pay lip service to it?

There are several models IT security pros can chose from: Krebs cites one crafted by the Enterprise Strategy Group, which breaks organizations down into basic, progressing and advanced. An advanced organization, for example, has a CISO who reports to the CEO, and focuses on incident detection, prevention and response.

An executive at a security vendor suggests a three-tier model which measures maturity in terms of preparedness and expectations. A reactive organization, for example, lacks executive support for IT security, and its IT operations are underfunded, understaffed and lack metrics for reporting. Business units are then ranked 1 to 5  across six categories (for example, security awareness and training.)

There are other models, some based on controls set out in the ISO 27001 family of information security management standards.

As Krebs notes, measuring security maturity can also provide a roadmap for organizations that wish to change their security culture. “Perhaps unsurprisingly, entities that are able to manage that transition typically have a leadership that is invested in and interested in making security a core priority,” he writes. “The real trick is engineering ways to influence the leadership, with or without the fleeting momentum offered by a breach.”

Read the full post here.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web