August 17th, 2016
By Corey Tower, CISM, PMP
If you have ever been in charge of implementing an inaugural security program or have been asked to formally organize information security, you know that compliance requirements are at the forefront of the conversation. Yet if you’ve been building and managing a security program for years you already know a compliance-based approach is not robust to handle modern threats or comprehensive to manage risk across the entire business. As a measurement tool, compliance assessments are blunt instruments that focus primarily on the existence of controls. These assessments tend to yield binary results – either the organization is compliant, or not. Let’s explore how measuring your process maturity exceeds a binary compliance approach.
Implementing security effectively from the results of a compliance assessment is challenging, since gaps in compliance suggest the need for security investments that may be disproportionate to the problem the organization is trying to solve.
How Maturity Prioritizes Investment
Focusing on your maturity will allow you to view your program in both dark and bright lights. If you are serious about the effectiveness of your security program, you must be honest about the current state. For example, if you have in-house software development and you complete the compliance section of securing source code, you have two choices:
- Compliance Approach: Check the box that says “We do it – done.”
- Maturity Approach: Deep dive into process-level maturity. (I.e. “How do we protect source code? How well defined are the standards to protect source code? What goal have we defined for source code protection? Is the security of our source code library adequate?”) Each scored on a maturity scale of 0 through 5 such as those defined by COBIT.
Once you’ve completed a maturity assessment of all processes that make up information security program, you can begin a more efficient plan for resource allocation and budget management. For example, perhaps 250 hours of project resource time can be shifted from your very mature patch management process to help your struggling security and event management effort. A maturity-based assessment helps to identify the performance level of key process areas and the output compliments and enhances a risk assessment. Looking at processes through the lens of maturity provides greater dimension to team and security program performance and conveys how to allocate resources once maturity goals are achieved.
- Identify how much security is “enough” by establishing process-level performance goals
- Measure the effectiveness of your security programs and the capacity to accomplish outcomes
- Link information security metrics and measurement back to business value and strategy
- Use analytics and estimated level of effort to tell a compelling story to business executives and the board
TrustMAPP reports security posture by maturity levels, including trending analysis, planning, budgeting, and built-in support for multiple security frameworks and regulations. As a cloud solution, TrustMAPP enables clients to begin assessing their information security program in weeks instead of months. TrustMAPP helps security leaders create and communicate a strategic roadmap, build budgets and resource plans to guide their organizations’ security activities.