|
For most organizations, security is an improvement process. Because of this, we instinctively look to the quality improvement models we know. Some have spawned new models specific for security. But do they really give the best measure of enterprise security improvement? Just what do we mean when we say "security maturity?"
Phase based approaches always fall short for me where security is concerned. We don't need yet another separate improvement initiative requiring yet another costly enterprise committment.
Separate improvement initiatives based on hybrid models such as SSE-CMM and ITIL's security improvments can be effective, but I don't believe separate efforts are required.
Security can be efficiently rolled into the current quality improvement program because...it was never not a part of them! After all, the elevation of its recent status has not changed the fact that security is--and always was--a quality attribute. Models like CMMI are built to accomodate improvements encompassing all quality attributes.
So then, if security is just a quality attribute , one among many in the quality improvment program, then what do we mean by security maturity? The phrase is meaningful, but not in the way people use it. Phase based improvement measures for security can be left to the enhanced quality models, but a pre-requisite to achieving this efficiency is integrating security fully into other organizational processes--not dealing with it as a separate problem domain.
Therefore perhaps a better definition lies with these unique pre-requisite characteristics where security maturity means the level of its enterprise integration at three levels: Defined, Integrated, and Optimized.
Security Maturity PDF
More Presentations
More on Strategy & Models |
Resources 
