Most CISOs think they have a handle on how secure their organization is, pointing with pride to the latest (fill in the blank) system that’s just been installed.
But another way to measure what’s going on is to look at the organization’s security maturity — or, as author Brian Krebs put it in a post Monday, does it make cybersecurity a part of the culture or just pay lip service to it?
There are several models IT security pros can chose from: Krebs cites one crafted by the Enterprise Strategy Group, which breaks organizations down into basic, progressing and advanced. An advanced organization, for example, has a CISO who reports to the CEO, and focuses on incident detection, prevention and response.
An executive at a security vendor suggests a three-tier model which measures maturity in terms of preparedness and expectations. A reactive organization, for example, lacks executive support for IT security, and its IT operations are underfunded, understaffed and lack metrics for reporting. Business units are then ranked 1 to 5  across six categories (for example, security awareness and training.)
There are other models, some based on controls set out in the ISO 27001 family of information security management standards.
As Krebs notes, measuring security maturity can also provide a roadmap for organizations that wish to change their security culture. “Perhaps unsurprisingly, entities that are able to manage that transition typically have a leadership that is invested in and interested in making security a core priority,” he writes. “The real trick is engineering ways to influence the leadership, with or without the fleeting momentum offered by a breach.”