After an in-depth survey of IT security and risk professionals, as well as our ongoing work with leaders in this field, Forrester recognized the need for a detailed, practical way to measure the maturity of security organizations. You asked, and we responded. I’m happy to announce today we published the Forrester Information Security Maturity Model, detailing 123 components that comprise a successful security organization, grouped in 25 functions, and 4 high level domains. In addition to the People, Process, and Technology functions you may be familiar with, we added Oversight, a domain that addresses the strategy and decision making needed to coordinate functions in the other three domains.Our Maturity Model report explains the research and methodology behind this new framework, which is designed to help security and risk professionals articulate the breadth of security’s role in the organization, identify and fix gaps in their programs, and demonstrate improvement over time.What makes the Forrester Information Security Maturity Model work?It’s objective.The detailed characteristics required to meet each maturity level are based on extensive research and best practices.It’s prescriptive.Achieving the next level of maturity for each of the 123 components requires very specific actions.It’s process-oriented.The maturity levels are based on how organizations approach security decisions and implementations, not the implementation of the latest and greatest security technologies.It’s modular.We made this model as comprehensive as possible, but we recognize that many organizations will choose to assess just a specific subset of functions at any given time.It’s uncomplicated.Security teams must constantly respond to auditors, regulators, business partners, and other stakeholders with different types of assessments. This model is based on high-level assessment data and observations, not detailed data collection.This was a collaborative effort involving Forrester’s entire Security and Risk team. I provided a lot of the coordination as well as content in the governance, risk, and compliance areas, but relied on my cohorts to fill in the detailed criteria for the other aspects of the model. —Chris McClean, Forrester Research Related content opinion Just Let Me Fling Birds At Pigs Already! Thoughts On The Snowden / Angry Birds Revelations By Tyler Shields By Forrester Research Jan 28, 2014 4 mins Mobile Security IT Leadership opinion LG Is Learning An Embarrassing Privacy Lesson In The Age Of The Customer By Rick Holland By Forrester Research Nov 22, 2013 3 mins IT Leadership opinion Rise Of The Second Mobile App War By Tyler Shields By Forrester Research Sep 04, 2013 3 mins Application Security opinion Point Solutions Must Die By Forrester Research Aug 19, 2013 4 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe