- Maturity models provide frameworks for organizations to evaluate their security capabilities and identify areas for improvement. They allow benchmarking against peers. - There are different types of models including progress-based models that measure advancement through levels and capability maturity models (CMM) that assess process institutionalization. Hybrid models combine aspects of both. - Examples discussed include the Systems Security Engineering Capability Maturity Model (SSE-CMM) that evaluates security engineering practices across five levels and the CISO Platform Security Benchmarking that compares technologies adopted to peers.

1. Security Maturity
Models
OVERVIEW OF SECURITY MATURITY MODELS

2. Agenda
1. What’s a Maturity Model?
2. Types of Maturity Models
3. Overview of SSE CMM & CISO Platform Security Benchmarking

3. What’s a Maturity Model?
“A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and
progression in a particular discipline. Model content typically exemplifies best practices and may incorporate
standards or other codes of practice of the discipline. A maturity model thus provides a benchmark against which
an organization can evaluate the current level of capability of its practices, processes, and methods and set goals
and priorities for improvement.” – C2M2, DOE, US Govt.
How’s it Useful?
ü Helps Define a Framework for Organizations to Baseline Current Capabilities / Architecture
ü Conduct Standardized, Consistent Evaluation(s) -Identify Gaps, Build Roadmaps; Measure Progress
ü Allows Organizations to Benchmark their Capabilities against Peers
ü Enables Decision Making - How to Improve, Prioritize investments in Tech, People, Services etc.

4. Types of Maturity Models
1. Progress-based Maturity Models
1. Measures Simple Progress /Advance Through Ascending Levels (as defined by Org/Industry)
2. E.g.: Simple Password -> Strong Password -> TFA
3. Pros: Simple; Cons: May NOT translate to Maturity
2. Capability Maturity Models (CMM)
1. Primarily Measures the Degree to Which Processes are Institutionalized; Strength of Org Culture
2. E.g.: SSE-CMM
3. Pros: Rigorous Measure of Capabilities; Cons: False Sense of Achievement – Maturity does not
equal security
3. Hybrid –
1. Combines the Above Two.
2. E.g.: Cybersecurity Capability Maturity Model (ES - C2M2)
3. Pro: Easy Progress Measurement & Approximation of Capability; Cons: Not as Rigorous as CMM
Adapted from Content Provided by CERT and Software Engineering Institute (SSE), CMU.

5. Some Maturity Models
1. CERT CC Resilience Maturity Model
2. COBIT
3. US Dept of Energy (DoE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
4. Information Security Management Maturity Model (ISM3)
5. NIST CSEAT IT SMM
6. Gartner’s Security Model
7. Systems Security Engineering Capability Maturity Model (SSE-CMM)
8. Computer Emergency Response Team/Chief Security Officer Security Capability Assessment (CERT/CSO)
9. Community Cyber Security Maturity Model (CSMM)
10. FFIEC – Cybersecurity Maturity
11. OpenSAMM - AppSec
12. BSIMM – AppSec
13. and Many More…

6. ISO/IEC 21827 Systems Security Engineering
Capability Maturity Model (SSE-CMM)
The model is a standard metric for security engineering practices covering the following:
1. Project lifecycles, including development, operation, maintenance, and decommissioning
activities
2. Entire organizations, including management, organizational, and engineering activities
3. Concurrent interactions with other disciplines, such as system software and hardware, human
factors, test engineering; system management, operation, and maintenance
4. Interactions with other organizations, including acquisition, system management, certification,
accreditation, and evaluation.
Source: SSE-CMM

7. SSE-CMM Dimensions
Level 1 - Performed Informally
Level 2 – Planned & Tracked
Level 3 – Well Defined
Level 4 – Quantitatively Controlled
Level 5 – Continuously Improving
Source: SSE CMM

8. Sample
Source: SSE CMM

9. CISO Platform Security Benchmarking
◦ An insight about company current cyber security positioning among the
peers
◦ An insight about company current positioning in the overall market.
◦ Helps to analyse the gap in Cyber security structure
◦ Helps you to find out the strategic focus areas
◦ NOT a Capability Maturity Model

10. India vs World
•India is 75 to 80% at par with USA for Prevention / Detection
technologies.
•India is less than 10% at par with USA in Response
•India is less than 10% at par with USA for Prediction of breaches
beforehand.
•India is less than 10% at par in adoption of emerging security
technologies like
• threat Intelligence and Big data security analytics, RASP, IAST, Containerization/ Isolation,
Attack Deception etc. when compared to USA.

11. Industry wise maturity
0 10 20 30 40 50 60 70 80
Minor BFSI
Retail/Online
Manufacturing
Healthcare & Hospitality
Financial Services
Minor IT/ITES
Major BFSI
Major IT/ITES
Large Scale Telecom
44.95
51.52
52.43
53.13
56.06
59.25
70.16
74.66
76.62
Security Maturity Index
Verticals Security Maturity Index %

12. CISO Platform Security Benchmarking
Community-based initiative which helps organizations benchmark their
existing security posture against that of their peers / industry (e.g.: BFSI,
IT/ITES) and develop an actionable, prioritized roadmap for achieving the
desired maturity level.
The technologies are categorized into:
◦ Security control type (Prevent, Detect, response, Predict)
◦ Technology adoption type (Basic, Moderate, Advance)

13. Benchmarking – capabilities in place
* The Graph presented above is only indicative and for sample purposes only
SECURITY AWARENESS AND TRAINING
WIRELESS SECURITY
POLICY MANAGEMENT
MOBILE DEVICE MANAGEMENT
IAM/PIM
APPLICATION/DATABASE SECURITY
SIEM
END POINT SECURITY
DIGITAL RIGHTS MANAGEMENT
DLP/DATA SECURITY
IDS/IPS
PATCH MANAGEMENT
SECURE EMAIL/WEB GATEWAY, CONTENT …
STRONG AUTHENTICATION
UNIFIED THREAT MANAGEMENT
ANTI MALWARE/ANTISPYWARE
BCP/DR
WEB APPLICATION FIREWALL
VULNERABILITY MANAGEMENT
THREAT INTELLIGENCE
81.82%
68.18%
77.27%
45.45%
45.45%
59.09%
59.09%
90.91%
31.82%
72.73%
86.36%
86.36%
100.00%
63.64%
59.09%
95.45%
61.00%
61.00%
62.00%
53.00%
Capability in Place Statistics
Vertical Adoption(%)

14. Benchmarking - Capabilities not in place
* The Graph presented above is only indicative and for sample purposes only
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00%
Vertical Adoption(%)
Capability Not in Place Statistics
DDOS IT GRC management Bio Metric Encryption for Servers/Storage/Database Anti APT

15. Some Resources to Get You Started
1. CPSB
2. Vendor Specific, some examples –
1. nCircle
2. Veracode
3. KPMG - Cyber KARE
3. BSIMM - https://www.bsimm.com/
4. Open SAMM - http://www.opensamm.org/
5. https://buildsecurityin.us-cert.gov
6. C2M2 - http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-
c2m2-program/cybersecurity

16. Thank You!