How solid a job is a cybersecurity organization doing? There’s no easy answer to that question. Not experiencing a breach that lands the organization on the front page of the Wall St. Journal is a good start, but it’s not an ideal metric. Maybe there’s a breach hasn’t yet been discovered; maybe the enterprise isn’t quite as juicy a target as its top competitor. In other words, what may look like a successful (or unsuccessful) security organization is often just a matter of luck.
A better approach to assessing the quality of one’s cybersecurity organization is the concept of maturity. Is your organization structured and funded in a way that leads to proven success? Are you deploying technologies that lead to successful cybersecurity? Are you investing in the right areas? And above all, how do you determine the “right” answer to these questions?
To assist in all of the above, Nemertes has developed a Security Maturity Model based on decades of experience and intensive research. Our maturity model includes four levels: Unprepared, reactive, proactive, and anticipatory. Across each salient dimension—budgeting and procurement, organization, planning, and technology—we mapped the benchmark participants into those four levels. We determined which characteristics align with each level in each dimension.
The result is a model that enterprise organizations can use to assess their security maturity, and more importantly, to determine what steps to take to improve that maturity.