Skip to main content

Can you really measure the maturity of your Information Security Program?

August 25, 2012

This question is not an easy one to answer. FishNet Security has been researching and reviewing several different approaches. Each of these information security program maturity methodologies can be leveraged to provide a foundation that helps build and develop an information security program — or best practices framework — to continually evaluate one’s existing information security program.
Each of these methodologies are comprised of a set of core elements or programs that an information security program should consist of, as well as mechanisms on setting a strategic roadmap and a direction to those programs that are highly valued and a top priority to the organization’s security key stakeholders completing the maturity evaluation. All of these information security maturity models provide a method to empower CISOs for ongoing management of a security program as well.
The set of core elements or programs defined within each information security maturity model references back to a pillar or domain within one or more common security frameworks, such as ISO27001, NIST or CoBIT. The programs outlined within the maturity frameworks usually consist of a mixture of GRC, Risk and Operational-related programs. All of the information security program maturity models that FishNet Security has reviewed have several common traits: 

  • Objective
  • Prescriptive
  • Modular
  • Simple to Understand
  • Leverage CMMI to Score Maturity Levels
  • Strategy and Direction-setting Oriented

The maturity of each of these elements or programs is evaluated through a variety of due diligence methods, such as documentation review, interviews, observation and/or round table/workshop discussions. The due diligence evaluation is completed through best practices and/or comparing one’s program against commonly seen characteristics of mature programs. The information security program maturity due diligence does not include control-level evaluation experienced within a compliance-based gap analysis review engagement. The maturity models reviewed by FishNet Security vary in how they organize its model. Some maturity models consist of programs and pillars, while others have domains, functions and components.

Who provides this type of consulting engagement?

  • Information Security Solution Providers (ISSPs)
  • Large Public Accounting Firms
  • Security Software Manufacturers

In conclusion, FishNet Security believes that this type of service can be extremely valuable for organizations to complete in helping provide direction, priority and an independent perspective on an information security program’s maturity level.

Related Blogs

January 25, 2013

Cloud Information Security Webinar Recap

FishNet Security delivered another successful webinar focusing on cloud security and what you need to know to maximize your success in 2013.

See Details

August 14, 2012

Information Security Certifications | Optiv

Why become certified? This is a question that we all ask ourselves at one — or several points — in our careers. Why should you carry a certification f...

See Details

May 23, 2013

Healthcare Information Security in 2013

This year will be a major milestone for information security in the healthcare industry. The Department of Health and Human Services (HHS) Office of C...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

June 14, 2017

Incident Management Plan Development

We have the experience and knowledge required to help your organization develop a strong incident management plan.

See Details

December 02, 2011

Security Assessment Pitfalls | Optiv

FishNet Securitys Assessment Team has delivered on thousands of projects involving Vulnerability Assessments, Penetration Tests, Wireless Security Ass...

See Details

May 23, 2016

Next Generation Identity and Access Management (Next Gen IAM)

Having spent the last 17 years in the identity and access management (IAM) space, I know two things are certain: Evolution is inevitable, and change i...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.