• #security on software development security and web security, security best practices and discussions, break-ins and countermeasures. Everything you ever wanted to know about software security but were afraid to ask, for fear of not understanding the answer!

Security Maturity Grid

The grid is a simple 5 x 6 matrix that shows different stages of maturity of the company’s security management against six different security management categories (management understanding of security, problem handling, cost of security, etc). The lowest stage of maturity is called ‘Uncertainty’ – the organisation is inexperienced, security management is a low priority and reactive, etc – then as security management matures it goes through the stages of ‘Awakening’, ‘Enlightenment’, ‘Wisdom’, then the highest level, ‘Certainty’. Each point – maturity versus category – on the grid has a brief description of how that combination appears in the company.

The Security Maturity Grid by Albert Zenkoff
Categories of measuring Stage 1: Uncertainty Stage 2: Awakening Stage 3: Enlightenment Stage 4: Wisdom Stage 5: Certainty
Management understanding and attitude No comprehension of security as management tool. Tend to blame security department, if exists, for “security problems”. Recognising that security management may be of value but not willing to provide money or time to make it all happen. While going through security improvement programme learn more about security; become supportive and helpful. Participating. Understand absolutes of security management. Recognise their personal role in continuing emphasis. Consider security management as an essential part of company system.
Security organisation status Security is hidden in manufacturing and engineering departments. Inspection and audit is not part of the organisation. Emphasis on appraisal, problem fixing and product moving. A stronger security leader is appointed but the emphasis is still on moving the product. Still part of engineering or some other. Security department reports to the top management, all appraisal is incorporated and the security manager has role in management of the company. Security manager is an officer of the company; effective status reporting and preventive action. Involved with customer affairs and special assignments. Security manager on board of directors. Prevention is main concern. Security is a thought leader.
Problem handling Problems are fought as they occur; no resolution; inadequate definition; lots of yelling and accusation. Teams are set up to attack major problems. Long-range solutions are not solicited. Corrective action communication established. Problems are faced openly and resolved in an orderly way. Problems are identified early in the development. All functions are open to suggestion and improvement. Except in the most unusual cases, security problems are prevented.
Cost of security as % of sales Reported: unknown
Actual: 20%
Reported: 3%
Actual: 18%
Reported: 8%
Actual: 12%
Reported: 6.5%
Actual: 8%
Reported: 2.5%
Actual: 2.5%
Security improvement actions No organised activities. No understanding of such activities. Trying obvious “motivational” short-range efforts. Implementation of a multi-step security programme with thorough understanding and establishment of each step. Continuing the multi-step security programme and starting other pro-active and preventive product security initiatives. Security improvement is a normal and continued activity.
Summary of company security posture “We don’t know why we have problems with security.” “Is it absolutely necessary to always have problems with security?” “Through management commitment and security improvement we are identifying and resolving problems.” “Security weakness prevention is a routine part of our operation.” “We know why we do not have security problems.”

Basically, this is a shameless rip off the idea of Crosby’s Quality Maturity Grid, rewritten to match the security instead of quality. I do not understand why this is all understood by the industry for quality but not for security. Do we need another thirty years to make security accepted, just as happened to quality once?