- Maturity models provide frameworks for organizations to evaluate their security capabilities and identify areas for improvement. They allow benchmarking against peers.
- There are different types of models including progress-based models that measure advancement through levels and capability maturity models (CMM) that assess process institutionalization. Hybrid models combine aspects of both.
- Examples discussed include the Systems Security Engineering Capability Maturity Model (SSE-CMM) that evaluates security engineering practices across five levels and the CISO Platform Security Benchmarking that compares technologies adopted to peers.
3. What’s a Maturity Model?
“A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and
progression in a particular discipline. Model content typically exemplifies best practices and may incorporate
standards or other codes of practice of the discipline. A maturity model thus provides a benchmark against which
an organization can evaluate the current level of capability of its practices, processes, and methods and set goals
and priorities for improvement.” – C2M2, DOE, US Govt.
How’s it Useful?
ü Helps Define a Framework for Organizations to Baseline Current Capabilities / Architecture
ü Conduct Standardized, Consistent Evaluation(s) -Identify Gaps, Build Roadmaps; Measure Progress
ü Allows Organizations to Benchmark their Capabilities against Peers
ü Enables Decision Making - How to Improve, Prioritize investments in Tech, People, Services etc.
4. Types of Maturity Models
1. Progress-based Maturity Models
1. Measures Simple Progress /Advance Through Ascending Levels (as defined by Org/Industry)
2. E.g.: Simple Password -> Strong Password -> TFA
3. Pros: Simple; Cons: May NOT translate to Maturity
2. Capability Maturity Models (CMM)
1. Primarily Measures the Degree to Which Processes are Institutionalized; Strength of Org Culture
2. E.g.: SSE-CMM
3. Pros: Rigorous Measure of Capabilities; Cons: False Sense of Achievement – Maturity does not
equal security
3. Hybrid –
1. Combines the Above Two.
2. E.g.: Cybersecurity Capability Maturity Model (ES - C2M2)
3. Pro: Easy Progress Measurement & Approximation of Capability; Cons: Not as Rigorous as CMM
Adapted from Content Provided by CERT and Software Engineering Institute (SSE), CMU.
5. Some Maturity Models
1. CERT CC Resilience Maturity Model
2. COBIT
3. US Dept of Energy (DoE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
4. Information Security Management Maturity Model (ISM3)
5. NIST CSEAT IT SMM
6. Gartner’s Security Model
7. Systems Security Engineering Capability Maturity Model (SSE-CMM)
8. Computer Emergency Response Team/Chief Security Officer Security Capability Assessment (CERT/CSO)
9. Community Cyber Security Maturity Model (CSMM)
10. FFIEC – Cybersecurity Maturity
11. OpenSAMM - AppSec
12. BSIMM – AppSec
13. and Many More…
15. Some Resources to Get You Started
1. CPSB
2. Vendor Specific, some examples –
1. nCircle
2. Veracode
3. KPMG - Cyber KARE
3. BSIMM - https://www.bsimm.com/
4. Open SAMM - http://www.opensamm.org/
5. https://buildsecurityin.us-cert.gov
6. C2M2 - http://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-
c2m2-program/cybersecurity