• United States



Research Shows Information Security Management Has A Long Way to Grow

Jan 01, 20054 mins
Data and Information SecuritySecurity

This is NOT a maturity model.

The charts on the following pages reflect first results from the Security Capability Model, a survey tool on information security management processes codeveloped by CSO and Carnegie Mellon University’s CERT Coordination Center (CERT/CC) to help respondents compare their security processesparticularly pertaining to information security—with those of other organizations.

The Security Capability Model obviously draws some inspiration from the Capability Maturity Model (CMM), a rigorous tool for process management in software application development created by CMU’s well-known Software Engineering Institute (SEI). The reason for borrowing the “capability” part of that namebut not the “maturity”—is this: “The whole notion of maturity as reflected in the CMM is built on the notion of long-term practice. There were 20 years of experience to base the CMM on,” says Julia Allen, a senior technical staff member with SEI. “That doesn’t exist yet in information security. We don’t yet feel there’s a long enough history” to clearly state what constitutes “mature” information security practices.

How to Read the Charts

49 percent, again of total respondentssaid they have specified an owner for that particular process. Only 22 percent of all respondents said they regularly review and update this process, which is the group described by the model as most capable in this practice area. (The least capable group would be the 40 percent who, by implication, have no process in place at all.)

In lieu of attempting an absolute standard for correct or mature practices (though a variety of those already exist elsewhere, ranging from ISO standards to SEI’s own Octave risk management methodology), the model provides the opportunity to benchmark against others in 22 specific practices. The chart on the opposite page presents the full survey results, grouping the practices under four headings: managing risks, setting policies, securing systems and networks, and handling corporate security. Looking at the first practice area on the chart, 60 percent of the total response base said they have a process in place for conducting regular vulnerability assessments. Fewer

Beyond this left-to-right growth in capability, Allen notes that there is also a greater degree of sophistication reflected in the processes at the top of the three infosecurity-related charts (managing risks) than at the bottom (securing systems and networks).

For comparison, the model also measures corporate security capability in a few areas outside of infosec: facility access, business continuity plans, employee awareness training and background checks. The results indicate that information security is not the only area that needs more attention. While access cards, for example, are fairly common, employee training in recognizing suspicious events or items is one of the least common practices measured in the entire survey.

The survey remains open on the CSO website (at CSO and CERT will capture and present the results over time in order to observe trends. Given the proliferation of security- and risk-related regulations, one might expect that compliance efforts alone will drive more organizations toward better-defined security. However, Allen says that’s unlikely. “We find in our fieldwork that companies that use regulatory compliance as the stick [to drive improvement] tend to be less capable,” she says. Allen says more capableand successfulorganizations are those treating security as a business objective; these companies achieve regulatory compliance by documenting existing processes, rather than by scrambling to jury-rig new processes to meet the letter of the law.

If CERT’s observations are correct, it’s going to take a lot more than regulation to push the business world toward more capable information security. The Security Capability Model is structured to suggest a more effective approach: Start by improving risk management processes and moving from there to policy and then technology, rather than maintaining today’s widespread focus on technology solutions as the sole approach. In addition to other improvement themes regularly stressed in CSO (such as better governance models and more rigorous definition and use of metrics), CERT has ideas and suggestions on a newly created website dubbed “Governing for Enterprise Security” ( governance/ges.html).

Some day, information security will arrive at maturity. But judging by this first set of results, there’s a long way to grow.