I think we need to think more specifically and explicitly about security program maturity and effectiveness. So how does that work?

This diagram highlights the key aspects involved.

Overall Goal of the Security Program

Overall, the goal of the security program is to make it effective enough to reduce (information/cyber) security risk to acceptable levels, according to the risk appetite of the organization. Typically, an organization will have a high-level definition of the risk appetite (via a risk-appetite statement). This needs to be translated to a meaning or understanding for information/cyber security.

Current Maturity & Effectiveness

It’s important to understand the current maturity & effectiveness level:

• This must be a measured process, not one based on assumption. If the (level of) measurements are low then the assumption is high, and in such cases it’s only possible to assume maturity & effectiveness.
• Measurement is something that is based on security requirements, security controls, effective measurement via assessments, internal/external audits, KPIs/KRIs, and overall professional judgement.

Many organizations struggle to measure their current maturity & effectiveness level!

The Target Level

The target level should be based on the risk-appetite (statement) of the organization, translated towards information/cyber security. For example, a risk-appetite statement may indicate that some or moderate risk is tolerated, this description of “some or moderate” must be translated to information/cyber security outcomes.

Many CISO security practitioners believe that the target level must be a perfect level of security. This is not true.

A Perfect Level of Security

A perfect level of security, which has implemented all possible security measures, at a high-level of effectiveness, is theoretically possible to achieve, but is not possible in practice. Further, typically an organization does not have the budget to achieve this.

So assume that a perfect level of security is the most extreme end of the spectrum (versus the theoretical position of not having any security at all). Somewhere between those points, is your current security maturity and effectiveness, and the target level.

The Most Secure Organization

There are a few organizations (and companies) around the world that are the most secure.

Your organization is probably not one of them, and that’s OK. Remember that your risk appetite is not their risk appetite.

Also note that the most secure organization does not have perfect security either.

The Roadmap

The current maturity level is where the organization is currently at. If the current security maturity level is lower than the target level, there should be a roadmap to improve it.

• The roadmap should indicate how the security program will improve over time.
• The roadmap should indicate that this will not be achieved in a single day, week, or even quarter. It should have serious and achievable timelines based on available resources.
• The roadmap should have a breakdown in projects/programs, and it should include details such as who is in the lead, which teams are involved, the budget, the blockers, etc.

By documenting the impact of the roadmap, it’s possible to see how mature and effective a security program is in 1, 2, 3+ years time. This is a great insight for CISO security and senior leadership within the organization.