I wrote up the Security Maturity Grid the way quality management is usually presented. The grid is a simple 5 x 6 matrix that shows different stages of maturity of the company’s security management against six different security management categories (management understanding of security, problem handling, cost of security, etc). The lowest stage of maturity is called ‘Uncertainty’ – the organisation is inexperienced, security management is a low priority and reactive, etc – then as security management matures it goes through the stages of ‘Awakening’, ‘Enlightenment’, ‘Wisdom’, then the highest level, ‘Certainty’. Each point – maturity versus category – on the grid has a brief description of how that combination appears in the company.
I keep the grid on a separate page, Security Maturity Grid, so have a look and try to position yourself or your company on the grid. Then wait for the software security goons to show up :)