Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
03:45 PM
Carric Dooley
Carric Dooley
Partner Perspectives
Connect Directly

What We Mean by Maturity Models for Security

The aim is to assess the current state of security against a backdrop of maturity and capability to translate actions into goals that even non-security people can grasp.

My recent blog on incident response program maturity sparked some fundamental questions about maturity models as a concept. Let’s use this blog to establish what we are talking about in terms of maturity, audit versus assessment, etc. 

The intent to understand a client’s maturity does not demand what we would call an audit. That implies there is a checklist, and the client could pass or fail. An audit also implies the behavior of “managing to the audit” versus “becoming more secure” (like the grade inflation we have experienced in US schools). We are suggesting an assessment of current state against a backdrop of maturity and capability. (Take another look at the table.)

Maturity is loosely tied to CMMI (Capability Maturity Model Integration) in the sense that it has been an industry-accepted term/framework for some time. It is intuitive to think about the current state of security maturity and capability in terms of “reactive, compliant, proactive, optimizing,” but you could really use any version of this to achieve what we are suggesting. I have seen other maturity models that reference levels of capability versus state (i.e., no capability, some capability, etc.).

What we are trying to do is define the activities we see for the various maturity levels we have defined. As an example, look at incident-response (IR) capability. We have many clients that pull their IT teams to do IR when things go sideways. Validating our experience, a McAfee-sponsored SANS survey on incident response said that 61% of respondents draw in additional assistance from their internal IT staff to address their IR surge needs.

This means:

  • IT can’t do their day job while focusing on the incident.
  • They do not have the skill or the tools to follow basics such as sound forensic process or chain of custody.
  • Containment takes longer, and the ability to pursue responsible parties is likely lost.
  • What level of effectiveness is the remediation defined by a team where, again, this is not their expertise? (If they didn’t understand the root cause, the incident could just keep repeating.)
  • A breach or incident is not really an IT problem. It requires specific skills and capabilities to detect and respond effectively.

The above state implies a low level of maturity in terms of IR as a means to affect the impact component of the risk equation (Risk = Threat x Vulnerabilty x Impact). If you know the current state, and you help the client define the desired state, it becomes a simple roadmap of steps to get from current to desired.

You could extrapolate this concept to the proposed areas of security that were highlighted (strategy, infrastructure, application security, IR, awareness, metrics) to create a more meaningful, business-driven conversation that somewhat obfuscates all of the security industry specific “nuts and bolts” that have created the perception gap in the first place.

Over and over, I see clients that are spending a lot of money doing a lot of “security stuff,” which creates a perception of “we are doing stuff – we are getting more secure.” This is not necessarily the case, and may dangerously create a false sense of security. If we define that state and progress in terms of critical controls and common criteria, such as ISO, NIST, and COBIT, it’s not a language the business will ever grasp, leaving it unable to draw any conclusions of how dollars spent equals better security (especially since there is no direct correlation in the absence of any real metrics – another typical gap).

Maturity models translate actions into goals that even non-security people can grasp.

I’ll admit this approach is still subjective, based on “expert opinion,” but to me it’s more real than “risk scores” that create pseudo specificity which is still based on “expert opinion,” and it actually makes more sense and illustrates how it’s difficult to go from maturity 0 to 3 by just deploying SIEM. It doesn’t reduce the complexity of the problem, or even the solution, but speaking in terms of maturity, it’s common ground for the business and the geeks. I would also say it reduces some of the chaos of how you represent current versus desired state. This creates a quantifiable set of rational goals versus the “let’s lose some weight” (or “buy and deploy some stuff”) approach we often see.

Additionally, the areas of security listed in the table (strategy, infrastructure, application security, IR, awareness, metrics) are the distilled result of seeing incidents, their root causes, and alarming assessment results first-hand. It’s not exhaustive, nor is it an attempt to replace any other framework. It’s just a basic mental checklist to “plumb line” your current program to make sure what’s there at least covers the basics.

Carric Dooley has extensive experience leading comprehensive security assessments as well as network and application penetration tests in a wide range of industries across North America, Europe, and Asia. As the Worldwide VP of Foundstone Services at McAfee, part of Intel ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
2/15/2017 | 9:30:44 AM
Another way to define maturity
IMHO, Maturity is a measurement of the ability of an organisation for continuous improvement in a particular discipline (as defined in O-ISM3). The higher the maturity, the higher will be the chances that incidents or errors will lead to improvements either in the quality or in the use of the resources of the discipline as implemented by the organisation.
User Rank: Apprentice
2/15/2017 | 10:37:55 AM
clipart http://clipartall.com
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.