The CMMI (Capability Maturity Model Integration) version 1.3 as defined by Carnegie Mellon University is a five step process-improvement approach, which can be used to measure how mature an organization is based on traits it exhibits. Defined as Initial, Repeatable, Defined, Quantitatively Managed, Optimizing, these five progressions through 'maturity' offer glimpses into how you can determine where in the progression your organization is, and what traits you can expect at that level.
The interesting thing, in my opinion, is while the CMMI is officially built to accommodate three areas of interest (see wiki article above), I believe it can be applied to nearly anything, with a little work. I believe the CMMI can be applied to more than just products or services. It can be applied to business as well and generically to IT, and even maturity of Information Security organizations. It appears from recent conversations that I'm not alone in thinking this... but what is interesting is that for certain levels of business process maturity, the maturity of the Information Security organization lags at different levels.
This is where I am blessed with having colleagues and friends up and down the spectrum of companies; from largest enterprises to small shops, I can call these people to talk shop and share experiences. From talking to CISOs of enterprises large and small, the CMMI maturity of Information Security appears to generally lag that of business process maturity until you get into the upper levels of business process maturity. By that token, the more mature the business, the more likely that Information Security will be lock-step with strategy. Makes perfect sense.
If you map your business's CMMI maturity level, your Information Security organization will be (on average) ~1 CMMI level behind your business. The formula is a little more complicated than that, actually...
- For business at low CMMI level 1-2, Information Security maturity is highly likely to lag ~1 rung below business
- For business at higher CMMI levels 3-4,Information Security maturity is significantly less likely to lag business maturity, by ~1 level
- For business at top-tier CMMI level 5, Information Security maturity is likely to be at parity with business maturity - due to Information Security partnering with the business
After some discussions with enterprises large and small, this appears to hold, and I'm interested to hear your thoughts and opinions on this topic.
I think this happens because of three reasons. Here's my logic...
- Except for the most mature organizations, technology management always trails business adoption of that technology
- Technology takes time to understand, adapt to and defend
- Information Security organizations, unless they become business partners, will always be reacting to business adoption of technology (what we see today with BYOD, cloud, etc.)
Based on some unscientific, preliminary research I believe that Information Security organizations are lagging behind their businesses counterparts in maturity for the above reasons. This is significant because it helps us understand both the reactive nature of the business and their relationship with security as well as the traits we see coming from the security organization. This is also significant because it clearly demonstrates how critical it is to become a business partner, no matter where the business maturity level is.
Here's an example...
If your business process maturity is at CMMI Level 3 (Defined) and your projects and processes build upon established business standards then it is likely that your information security maturity is at CMMI Level 1 or 2, which means you're still reactive to the business needs. This illustrates the absolute need for partnering with the business rather than trying to continually play parity or catch-up. I think one of the keys to making the business-security relationship more tenable is understanding this CMMI-based relationship and what leads to it.
Clearly this needs more research and concrete data, but this is the principle I'd like to layout for your consideration. I will be collecting data to support (or refute) this over the course of the next several months and will report on this topic later on... Stay tuned.