Research Shows Information Security Management Has A Long Way to Grow

First results from a new security management survey indicate that many companies have only rudimentary practices in place

By Derek Slater

January 01, 2005 — CSO — This is NOT a maturity model.

The charts on the following pages reflect first results from the Security Capability Model, a survey tool codeveloped by CSO and Carnegie Mellon University's CERT Coordination Center (CERT/CC) to help respondents compare their security processesparticularly pertaining to information securitywith those of other organizations.

The Security Capability Model obviously draws some inspiration from the Capability Maturity Model (CMM), a rigorous tool for process management in software application development created by CMU's well-known Software Engineering Institute (SEI). The reason for borrowing the "capability" part of that namebut not the "maturity"is this: "The whole notion of maturity as reflected in the CMM is built

on the notion of long-term practice. There were 20 years of experience to base the CMM on," says Julia Allen, a senior technical staff member with SEI. "That doesn't exist yet in information security. We don't yet feel there's a long enough history" to clearly state what constitutes "mature" information security practices.How to Read the ChartsIn lieu of attempting an absolute standard for correct or mature practices (though a variety of those already exist elsewhere, ranging from ISO standards to SEI's own Octave risk management methodology), the model provides the opportunity to benchmark against others in 22 specific practices. The chart on the opposite page presents the full survey results, grouping the practices under four headings: managing risks, setting policies, securing systems and networks, and handling corporate security. Looking at the first practice area on the chart, 60 percent of the total response base said they have a process in place for conducting regular vulnerability assessments. Fewer49 percent, again of total respondentssaid they have specified an owner for that particular process. Only 22 percent of all respondents said they regularly review and update this process, which is the group described by the model as most capable in this practice area. (The least capable group would be the 40 percent who, by implication, have no process in place at all.)

Beyond this left-to-right growth in capability, Allen notes that there is also a greater degree of sophistication reflected in the processes at the top of the three infosecurity-related charts (managing risks) than at the bottom (securing systems and networks).

For comparison, the model also measures corporate security capability in a few areas outside of infosec: facility access, business continuity plans, employee awareness training and background checks. The results indicate that information security is not the only area that needs more attention. While access cards, for example, are fairly common, employee training in recognizing suspicious events or items is one of the least common practices measured in the entire survey.