Yesterday Brian Krebs published an interesting post on security maturity models. He offered a few examples and asked, “Are they a useful way for getting a handle on security and increasing maturity within your organization?” I figure this is as good an opportunity as any to share my experience with maturity models and offer one that may help you advance your organization’s vulnerability management program.
I’ve long been a fan of the Carnegie Mellon Maturity Model, starting with my years at EDS, where we used it extensively to understand our capability, maturity and ability to deliver. I also used this approach when I was the CISO of Providence Health & Services. It was one that my board and senior leaders could really wrap their heads around.
When I moved to Core Security, I realized there was really no coherent approach to vulnerability management other than scan-and-patch plus PCI as a framework. This was clearly not working just based on the number of breaches involving systems with vulnerabilities known to exist and be exploitable. In fact, this year’s HP Cyber Risk Report found that 44% of breaches are the result of vulnerabilities which are two to four years old.
Working with some of the other smart folks at Core Security, I built a structure maturity model for Threat & Vulnerability Management that I believe will allow any organization to significantly reduce the risk of breach.
Click image to enlargeAs noted by some other folks commenting on Krebs’ initial post, a model without actionable details is very basic. Many maturity models are just that – a description of each level – with no detail behind it on how to advance your organization or why you should do so. With this model, I set out to offer a clear roadmap for organizations to follow.
I hope you’ll download the full Vulnerability Management Maturity Model white paper and share your feedback!