Feeds & Podcasts
Enterprise Blogs
- Cloud Security (10)
- Critical Infrastructure Protection (10)
- CSO / Risk Management (64)
- Data Center (9)
- Data Protection (63)
- Embedded (7)
- Management (6)
- Mobile (29)
- NAC (2)
- Network Security (37)
- Public Sector (26)
- Risk Compliance (63)
- SaaS (2)
- Security Connected (107)
- Security Perspectives (7)
- SMB (3)
- Support (6)
- System Endpoint (22)
- Virtualization (5)
Meet the Bloggers
- Adam Wosotowsky
- Andrew Berkuta
- Barry McPherson
- Brian Contos
- Brian Foster
- Brian Kenyon
- Callie Skokos
- Carrie Ellis
- Charles Ross
- Chintan Shah
- Dan Olds
- Dan Wolff
- David Hatchell
- Dr. Phyllis Schneck
- DThakkar
- Ed Metcalf
- Ed White
- Editor
- Elan Winkler
- Eric Andre
- Eric Schou
- Evan Schuman
- Evelyn de Souza
- Francois Paget
- Gary Davis
- Geok Meng Ong
- George Kurtz
- Greg Brown
- Jan Volzke
- Jim Walter
- Jimmy Shah
- John Dasher
- Joseph Blankenship
- Josh Archambault
- Kayvon Sadeghi
- Kent Landfield
- Kevin Reardon
- Kim Singletary
- Larry Ponemon
- Leon Erlanger
- Lianne Caetano
- Lillian Wai
- Marc Olesen
- Mark Campbell
- Martin Ward
- Matt Fairbanks
- Melissa Siems
- Michelle Dennedy
- Mike Carpenter
- Mike Gallagher
- Nikfar Khaleeli
- Oliver Devane
- PageOne Pr
- Pamela Warren
- Raj Samani
- Rees Johnson
- Rishi Bhargava
- Robert Welty
- Ryan Permeh
- Scott Chasin
- Simon Hunt
- Stephen Karkula
- Steven Fox
- Stuart McClure
- Swapnil Pathak
- Swaroop Sayeram
- Tim Fulkerson
- Tim Roddy
- Tom Conway
- Tom Gann
- Tony Zirnoon
- Tyler Carter
- Vijay Upadhyaya
- William Beltane
Archive
- February 2012 (18)
- January 2012 (47)
- 2011 (482)
- 2010 (431)
- 2009 (395)
- 2008 (294)
- 2007 (416)
- 2006 (169)
Tags
#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity
A Maturity Model for Enterprise Security
|
|
When we sit down with our enterprise customers the discussion usually hinges on two questions: where is your enterprise security program today, and where do you want it to be tomorrow?
For many companies, the answer is pretty straightforward – they want to improve their overall security posture, reduce risk, and lower costs. But how do they get there?
We believe that with enterprise security, as in many other industries, you can measure the cost and effectiveness of your security program, as well as build a strategic roadmap for future planning, by relying on a maturity model that takes into account the real-world experiences of other organizations.
We look at maturity in four stages – Reactive, Compliant, Proactive and Optimized:
REACTIVE: In this stage, quite simply, an incident occurs and the organization tries to react. These businesses are usually doing as much as they can with little security budget to meet their most basic threat needs. However, not only is overall risk higher, but reactive management of security can yield much higher IT cost over time.
COMPLIANT: Here, an organization is beginning to define security policies and processes in order to meet external compliance mandates like PCI, SOX, FISMA or HIPAA. There is some standardization at this stage, but usually still at a very high cost (capital or resource), because technologies are disparate and security processes are still nascent.
PROACTIVE: At this point, the business begins to look at the efficiencies gained from centralized security management. Processes are usually more mature and the organization generally has a handle on compliance regulations. Cross-product integration is increasing, but all the security technologies and processes aren’t leveraging one another, and costs remain high given the sheer number of point tools in play.
OPTIMIZED: Here the various security technology dots, if you will, become connected. Risk awareness, management and policy definition are fully centralized and compliance is automated. Threat intelligence is updated in real-time and correlated, while information from one sensor technology can benefit another. This company has combined multi-layered defenses, with threat intelligence and centralized management, leading to greater IT protection and significantly lowering the overall cost of security.
This is just a snapshot of how we characterize the stages of enterprise security maturity. We’ll be diving deeper into each of the stages and the elements of what it means to plan for an optimized security program in future posts, but in the meantime – where do you see your security organization today?
|
|
Tags: Compliance, IT, Maturity Model, Optimized
Comments (2)
Thank you for your post on this subject. I find it interesting to see a maturity model specifically created for Enterprise InfoSec.
Do you find that organizations usually fall into one category from this list? My experience has been, especially in large organizations, that different functional and business areas operate at different levels of maturity. For example: the network team might be optimized, but the development teams very reactive.
I find maturity models a useful tool for comparing where we want to be versus where we are in general terms from an executive level, but that when it comes down the in-the-trenches infosec implementations they come up short.
Thanks again.
-
Matt Fairbanks September 7, 2010 1:15PM
Robb -
Thanks for your comment. I’d agree with you that companies, and various groups within your organization, even different projects and initiatives can often exist at various stages of maturity. It’s also important to consider that changes within the company – for instance, the expansion or consolidation of a business unit or office, the acquisition of another company, etc. – can also affect your maturity posture. What was once ‘proactive’ might slide back to ‘compliant’ as organizations work to secure newly introduced infrastructure or data sources, for example.
Nonetheless, we’ve found that this maturity model helps information security executives to set goals for their initiatives and measure their progress. By having a common set of benchmarks and practices, we believe IT security professionals can more effectively achieve their short and long-term information security goals.
Matt
Submit your own comments / message for this post