SMotW #74: security governance maturity

Security Metric of the Week #74: information security governance maturity


We've covered a number of so-called maturity metrics previously on this blog. They usually score highly on the PRAGMATIC scale, meaning that (according to the fictional managers of ACME Enterprises Inc., at least) they are valuable metrics. 

This week's example security metric specifically concerns the governance of information security. Imagine that, for some business reason, your management was interested in/concerned about the way the organization governs information security, whether for their own purposes or perhaps at the behest of the regulators or auditors. How would you go about addressing that issue? Think about what you would do.

A sensible first step would be to clarify the requirement: what does management need to know, when, and why? Exploring what they actually mean by "governance" is a good way to tease out what they are on about. Don't be surprised if individual managers have somewhat different needs and priorities: that's all part of the metrics fun.

ACME's managers considered the maturity measurement approach laid out in an appendix to PRAGMATIC Security Metrics. They scored this metric at 87%:

P
R
A
G
M
A
T
I
C
Score
95
97
70
78
91
89
90
85
90
87%

95% for Predictiveness and 97% for Relevance to information security are both outstanding ratings. We are often asked about predictive security metrics, so this is a good'un.