Home > Uncategorized > The Capability Maturity Model in Information Security

The Capability Maturity Model in Information Security

The Capability Maturity Model (CMM) was originally intended to characterize processes involved in software development that affect the quality of the code that is produced. In a nutshell, the lowest CMM level (level 0) is called “nonexistent;” there is no awareness of the need for systematic development processes. At the highest level (level 5), development processes are optimized by being implemented, monitored and managed throughout an entire organization. The Software Engineering Institute (SEI) validated this model by empirically showing the relationship between processes in real-world software development settings and quality metrics such as number of bugs per 1000 lines of code.

Not surprisingly, the CMM model is also widely applied to information security practices to the point that it has become a major basis for measuring the performance of an information security practice. There is a certain intuitive goodness to the CMM model; as one goes to higher CMM levels, more processes that appear to systematically address risk are present. At level 2, for example, processes are repeatable but intuitive; comprehension the nature of risk and the need for security is just starting to happen. At level 3, there are defined processes, as evidenced by an organization-wide security risk management policy and the emergence of security training and awareness.

The CMM model has been applied to information security practices for at least a decade. Internal and external assessments of information security practices often produce the finding that practices seldom reach the highest level or even level 4. I have often asked attendees of information security management courses that I teach what level they think best characterizes their own information security practice. Invariably, the most common answers are levels 2 and 3. Why? Several reasons stand out in my mind:

1.    Failure on the part of information security managers (ISMs) to truly understand the nature of the business(es) that they are supposed to defend, support and enable. Without a genuine understanding of the business itself as well as the business processes involved, a large gap between senior management’s and the ISM’s expectations is likely to develop, something that almost always costs information security practices in terms of credibility, leverage, and resources needed to effectively manage risk.

2.    A general lack of knowledge regarding information security management. Too often technically competent people are pushed into information security management with any kind of appropriate information security management knowledge and skills. Many lack even the most basic knowledge of security, let alone security management. The result is inevitable—“barking up the wrong tree” (or sometimes simply wallowing in indecision) when it comes to managing security risk correctly and efficiently.

3.    Obstacles imposed by senior management. Senior management’s lack of knowledge concerning information security is one of the most formidable obstacles to the maturity of information security practices. Without suitable knowledge, senior management is unlikely to adequately support information security efforts in terms of elevating the ISM position to a suitable level within the organization, signing off on policies, standards and procedures, providing adequate resources, and more.

4.    Lack of oral communication and interpersonal skills on the part of ISMs. Although many ISMs excel in oral communication and interpersonal skills, some do not. The people factor is essential in on-the-job success (not just in information security, but also in just about every job and task); communication and interpersonal skills are thus essential if ISMs are going to bring their practices to levels of greater maturity.

5.    Failure to set proper security goals for information security practices and to monitor and report progress. Too often ISMs do not set appropriate goals for their information security programs, or it they do, they do not design and put in place processes for monitoring and communicating (e.g., to senior management) the degree to which goals are or are not being met.

6.    Failure to cooperate with and leverage other, similar functions within organizations. Other functions within organizations such as physical security and audit have many common interests and goals with information security. Given that resources available to information security are almost invariably limited, cooperating closely with and leveraging these other functions in mitigating risk is the most logical course of action. Some ISMs neglect doing this, however.

There are additional reasons that information security practices do not achieve greater levels of CMM maturity. The ones I have presented are in my mind the most critical ones,  however.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.