ISACA Journal
Volume 6, 2,014 

Features 

From Here to Maturity—Managing the Information Security Life Cycle 

Kerry A. Anderson, CISA, CISM, CGEIT, CRISC, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP 

All living things have a life cycle, from creation to their eventual conclusion. This is true of microorganisms, animals, individuals and organizations. The life cycle paradigm holds true for teams and the programs they manage, including information security programs, each of which has its own unique life cycle. However, information security programs move through a series of stages that tend to be remarkably alike, with similar milestones and indicators. A number of factors, such as organizational culture, leadership, business sector, competitive environment, external events and regulatory environment, may affect the maturation progress.

During the 1970s, Richard L. Nolan, Ph.D., developed one of the early models for evaluating the maturity of information technology functions: the Stages of Growth Model for IT Systems.1 While this model has undergone some modifications, it is still in use today. The basis of the Nolan model is a qualitative assessment of maturity. While the Nolan Stages Model was specific to the maturity life cycle of IT organizations as a whole, its structure and stages can be adapted to various technology-related functions performed by the organization. This model can be adapted for information security and enhanced by identifying a set of benchmarks for each of the maturation stages. The information security model, while not scientifically vetted, can help the information security practitioner quickly estimate the maturation stage of an information security program.

Why the Maturity Stage is Important

Assessing the relative maturation stage of an information security program is important to determining if a security technology or best practice is appropriate for implementation. Information security programs at lower maturity levels may find it difficult to deploy or integrate complex technologies and operational practices. Maturation cannot be rushed. Just as with people, information security programs progress along the maturation life cycle at their own unique pace. An information security program’s maturity stage must be factored into all planning regarding people, process and technology. If a disparity occurs in the alignment of these elements and the information security program’s maturity, the security posture may be less effective in fulfilling its objectives or fail to reap the benefits of its security investments. This situation may occur when a security executive from a highly mature information security program takes over a less mature program and tries to force the practices of his/her prior program into the new environment.

Organizational Maturity vs. Information Security Program Maturity

It is possible for no correlation to exist between the overall maturity of the organization and its information security program. For example, an Internet service company might be very mature in terms of its business model, financial operations and technology infrastructure. However, it may not have formally addressed information security to any extent beyond basic technical security functions, such as firewall administration. A good example is high-tech start-up companies. These companies may achieve maturity in the majority of their operational functions, but fail to establish a formal information security program. Initially, these companies may have limited assets and little to lose, so they can be cavalier in their approach to information security risk. However, as these companies grow and become successful, the financial and reputational risk associated with an information security incident increases.

Experiencing a security incident can also stimulate the creation of an information security program. A good example of this situation is LinkedIn. LinkedIn, which initially had no chief information security officer (CISO),2, 3 is a successful social networking web site with more than 150 million users. In 2012, LinkedIn confirmed that a network breach had exposed hashed passwords associated with nearly 6.5 million accounts.4 This situation is not limited to Internet companies either. Both Sony and Target corporations experienced significant data breaches, and it was reported that neither corporation had designated a CISO role to drive their respective information security programs.5, 6

What Stimulates Maturity Progress

While it is possible for momentum for information security program progression to emanate from within an organization, such as from the hiring of strong, experienced leadership, more often it results from an external stimulus, such as:

  • Technological change—According to Ray Kurzweil’s The Law of Accelerating Returns, this century will see almost a thousand times greater technological change than in the prior century.7 This means information security programs must develop the maturity to respond to even greater challenges in managing risk. Many technologies with risk factors that are being managed today (e.g., cloud computing and smartphones) did not even exist a decade ago. Many established best practices might become obsolete because technology or other innovations may create new best practices to replace existing ones. A good example is bring your own device (BYOD). Just a few years ago, it was considered best practice for organizations to supply and control phones and other mobile devices used for business activities. The IT consumerism trend, as well as economic benefits, has replaced this accepted practice with BYOD and spurred the creation of technology solutions to secure business communications on a personally owned device. Technology drives information security programs to evolve and mature to meet the challenges created by innovation.
  • New regulatory requirements—In addition to technology, the regulatory environment has continued to expand with, for example, the Payment Card Industry Data Security Standard (PCI DSS) and the US Health Insurance Portability and Accountability Act (HIPAA). Many organizations do not create a separate information security program until an external impetus forces them to do so. However, these knee-jerk responses to compliance requirements may fail to yield a mature, holistic approach toward information security. The newly minted program often thrashes around, attempting to meet security challenges and expectations with limited experience and undeveloped processes, while its executives may perceive the information security program as exhibiting a significantly higher maturity level. One reason this occurs is due to confusion between the usages of security technology and the maturity of the information security program. One defining symptom of the first stage of an information security program’s maturity is the silver bullet8 syndrome, in which the answer to all problems is the acquisition of technology. However, an information security program at lower maturity levels may lack the required expertise to implement the technology to optimize its full benefits. Without appropriate leadership and executive support, the resulting information security program may remain in an early compliance-centric state.
  • Significant external cybersecurity events—Major external security events often fuel increases in maturity because they put security into the spotlight and get the attention of executives. This can fuel the maturity of information security programs by increasing executive support and budgets to fund security initiatives. Over the last decade, some cybersecurity-related incidents that have driven new investment in information security programs include:
    • Major breaches (e.g., those against TJX, Sony and Target)
    • Insider incidents, such as the information leaked by Edward Snowden
    • Corporate espionage
    • Malware

The Nolan Stages Model and Other Maturity Models

An information security program represents the sum of all information security processes, technology, policies, governance, business alignments, awareness activities and other elements necessary to effectively manage the organization’s security posture. “The Golden Triangle” of people, process and technology composes an information security program.

Many existing information security models have their roots in the Capability Maturity Model (CMM), which is based on a process model. The Software Engineering Institute (SEI) at Carnegie Mellon University (Pittsburgh, Pennsylvania, USA) developed the CMM in the mid-1980s. Process models use a structured collection of practices that describe the characteristics of effective processes against five maturity levels, with a focus on standardization. The CMM model has been applied to software/system engineering, systems, project management, risk management and information technology (IT) services. CMM has its primary focus on the process dimension rather than the two other attributes—people and technology. However, it is the human dimension that acts as a catalyst for transformation and growth required to move the maturity continuum.

Another approach, such as the one used by Security Innovation’s Corporate InfoSec Maturity Path, looks at information security maturity as a grid with two axes, with people and process on the x-axis and tools and technology on the y-axis.9 A point on the grid represents the information security’s maturity and path toward security. This approach does offer a way to gauge maturity progress and does take into consideration people, process and technology. However, it lacks precision and exact stages in assessing the maturity of the information security program.

After reviewing the various approaches available for assessing an information security program’s maturity, the Nolan Stages Model was adopted. Richard Nolan’s Stages Model is the best-known and most widely cited model of computing evolution in organizations and the concepts it introduced influenced subsequent maturity models. Nolan proposed stage benchmarks that management can use to gauge where an IT-related function currently stands and what developments lay ahead of it in its maturity journey. The Nolan Stages Model is unique in both its simplicity and adaptability, and continues to be used by many organizations.10 The Nolan Stages Model was selected for the following reasons:

  • It was originally designed to assess information technology, so it is easily adapted for another function that has a program focus around the use of people, process and technology.
  • It is easy to understand and explain to management.
  • An experienced practitioner can use the model to evaluate maturity based upon interviews with key personnel and stakeholders, as well as with personal observations.
  • It provides a qualitative measure of maturity.
  • The original model11 used four stages, and later expanded to six, including a data administration stage. The data administration stage is particularly relevant to information security that focuses on data as a critical asset and their protection.
  • These Nolan stages discuss budget as an indicator of penetration and use within an organization. Few models discuss the budgeting aspect of a program or function despite its criticality in growing and supporting program activities.

Using Benchmarks to Determine the Information Security Program’s Maturity Stage

It is possible to perform an ad hoc assessment of information security maturity by using benchmarks that are indicative of an information security program’s development. The following are benchmarks of development:

  • Planning duration (short- and long-term planning)
  • Focus and activities (internal, external or both)
  • Policies
  • Security awareness
  • Budgeting
  • Primary concerns
  • Business alignment
  • Prerequisites to move to next stage of development

No single benchmark is indicative of the information security program’s overall maturity. However, the benchmarks, when considered together, can yield an excellent approximation of where an information security program exists on the maturity life cycle continuum.

The Six Steps of Information Security Maturation

This adaptation of the Nolan model for information security organizations uses a six-step maturity paradigm.12 The model can be envisaged as a flight of stairs that the information security program must climb to increase its effectiveness. Like stairs, an information security team can ascend or descend based upon the actions and attitudes of the information security program.

Step 1: Initiation
This step denotes the formal creation of an information security program by the organization as the result of an executive-level decision. This decision can be driven by either internal requirements or external influences, such as new compliance regulations or a security breach. The first visible evidence of the newly minted information security program is the creation of a formal high-level information security policy, which offers proof of executive management support. Former security administrators or other technical staff with limited formal training or expertise in the information security discipline may staff the team. The defining characteristic of this stage is the rapid acquisition of security technology with limited formal processes around their use (figure 1).

Figure 1 Figure 2

Step 2: Contagion
During the contagion step, the silver bullet syndrome may continue with regular acquisition and replacement of security technologies. This approach may obscure the need to integrate people and process to optimize technology investments. Information security staff members still often find themselves fighting fires rather than establishing repeatable and automated processes. The information security policy often needs enhancement beyond a basic policy to include standards, guidelines and procedures. This expansion may involve inclusion of a standardized exception process to manage issues of noncompliance. Primitive metrics and logging may be introduced in an effort to identify risk trends, monitor user behaviors and create baselines for comparisons (figure 2).

Step 3: Control
The control step represents a critical juncture in maturity development. It may represent a shift from a compliance-centric view of the information security program to a risk-based paradigm. The information security program begins to address specific gaps based on a formal assessment process. Policy development becomes increasingly formalized to include a governance model that extends across the organization. Potential security solutions are evaluated against a specific set of criteria based upon their capabilities to resolve identified risk, potential for return on investment (ROI) and compatibility with the organization’s strategic direction.

As the information security program expands, there is increasing specialization of job functions. Senior staff may assume informal leadership roles. A job ladder that offers career growth for technically focused positions may increase employee retention rates. A distinguishing sign of the control stage is the establishment of repeatable and automated processes (figure 3).

Figure 3 Figure 4


Step 4: Integration
During the integration stage, the information security program moves away from a more isolated existence and its activities merge seamlessly into business processes. Some staff assumes the role of liaisons across the various business areas. The net effect is the embedding of security across the organization. Solution acquisition becomes more deliberate and needs to be justified based upon cost-benefit analysis. The information security program’s staff assumes a proactive attitude by looking for possible ways to add value to business functions, such as by participating in meetings with prospects and discussing security aspects of the products and services offered by the organization.

As the information security program matures, it seeks external influences to drive its maturity by interacting with others to gain exposure to new ideas, paradigms and knowledge. The program’s staff builds upon existing external relationships, such as peer organizations and industry groups (figure 4).

Step 5: Data Administration
During this stage, the information security program moves toward a strategic concentration on protecting its most critical assets: its data. This stage is defined by the adoption of a data-centric strategy with an objective of protecting data’s value over their life cycle. The information security program needs to ensure that data receive suitable protection from external and internal threats. A data-centric approach offers the opportunity to achieve a market advantage by using the organization’s valuable data, such as big data strategies, while still protecting these critical assets. This can result in the adoption of a formalized data classification model and tools to enforce it. In addition to managing the security concerns of data housed internally, a data-centric protection strategy looks to control risk around sensitive information shared with external parties, such as business partners and vendors. Data-centric security teams need to coordinate closely with internal functions, such as legal, procurement and IT, to ensure that sensitive data stored outside the organizational security perimeter are secured appropriately during their entire life cycle (figure 5).

Figure 5 Figure 6

Step 6: Continuous Renewal
Only a fraction of all information security programs make it to this stage. Continuous renewal is analogous to the Japanese Kaizen.13 The origins of Kaizen began during the post World War II efforts at rebuilding Japanese industry based upon the statistical control methods of W. Edwards Deming. The Economic and Scientific Section (ESS) group was tasked with developing Japanese management skills and created a training film titled Improvement in Four Steps (Kaizen eno Yon Dankai). Thus, the concept of Kaizen was introduced to Japan.14 Kaizen is the Japanese term for continual improvement.

Achieving this stage is not the end of the road, but signifies a new maintenance phase requiring vigilance in sustaining all the people, processes and technologies, and continuing to manage emerging risk. The overall information security program has assumed proactive posture with an emphasis on forecasting nascent security threats and technologies, such as looking at regulatory or technical innovations that potentially may include a need for security. The program’s staff is comfortable reviewing the current state of information security, in terms of its existing controls, level of performance and opportunities for improvement. The information security program uses key metrics to track its effectiveness. The CISO utilizes financial justification for the program’s expenditures and its contributions to business activities, especially in relation to revenue creation. A compliance culture is the reward at the end of the maturation journey for the information security program (figure 6).

Tips for Managing the Information Security Maturation Process

No information security program can stay static when managing a dynamic and challenging threat environment such as the one currently confronting organizations. Not every information security team needs to achieve the highest maturation stage. However, it needs to achieve an appropriate level of maturity to support the needs of the organization it serves. It then needs to maintain that level of maturity through continuing efforts. In general, this does not occur organically, but requires a plan and concerted effort. The following is advice on how to grow and sustain the maturity development process:

  1. Remember that the appropriate destination stage for an information security program’s maturity is dependent on the organization, its threat landscape, risk tolerance and business segment.
  2. Be realistic in determining the existing state of the information security program on the maturation continuum.
  3. Identify key benchmarks to assess the information security program’s development toward higher maturity stages.
  4. Have a plan B16 in reserve to fall back on if unanticipated internal and external events occur.
  5. Be prepared for setbacks. They are normal. It is the team’s reaction to them that makes the difference.
  6. Remember even when an information security program achieves the Kaizen stage, the program needs to continue to evolve or risk descending the maturity ladder to a lower stage.

Moving up the Maturity Ladder

Sometimes information can straddle two maturity stages, e.g., exhibiting traits of a higher step in one aspect of its functioning, such as budgeting, but still presenting primarily the characteristics of a lower state of maturity. This situation, which is both possible and common, may occur because a member of the staff with experience in a specific area drives the program to achieve a higher maturity in this function. For example, a project manager with extensive financial skills might advance budgeting procedures. In these situations, the assessment of the maturity stage should reflect the preponderance of the traits exhibited by the information security program.

Assessing and managing an information security program’s maturity stage offers a number of benefits. A primary advantage is that it can help information security professionals develop a strategic approach to move the program along the maturity ladder. This can be especially true as the information security program reaches the midpoint of the maturity continuum and appears to plateau. Plateaus can result in two possible outcomes. Like a flight of stairs, the information security program can move in either direction, up or down. By actively monitoring and managing the maturation of the program, it may be possible to identify factors hindering its progression to the next stage and remove obstacles to accelerate movement toward the journey to maturity. In addition, it may be possible to expedite progress up the maturity ladder by using specific tools, such as effective leadership, generous resource availability and executive support. Forward movement requires senior management support because an effective information security program requires top-down support.

Endnotes

1 Nolan, Richard L., “Managing the Crises in Data Processing,” Harvard Business Review, March 1979, http://hbr.org/1979/03/managing-the-crises-in-data-processing/ar/1
2 CISO Platform, “5 Lessons from the LinkedIn Breach,” 29 June 2012, www.cisoplatform.com/profiles/blogs/5-lessons-from-the-linkedin-breach
3 Chabrow, Eric; “LinkedIn Has Neither CIO nor CISO: Failing to Learn Lessons from the RSA, Sony Breaches,” The Public Eye, Bank Info Security, 8 June 2012, www.bankinfosecurity.com/blogs/linkedin-has-neither-cio-nor-ciso-p-1289
4 Kitten, Tracy; “LinkedIn: Hashed Passwords Breached,” InfoRisk Today, 6 June 2012, www.inforisktoday.com/linkedin-hashed-passwords-breached-a-4837?webSyncID=665c8703-e514-40d4-acd9-0bcaab3d3208&sessionGUID=2902c381-3da0-b37d-7348-a49dd009a011
5 Chabrow, Eric; “Breach Gets Sony to Create CISO Post,” Bank Info Security, 2 May 2011, www.bankinfosecurity.com/breach-gets-sony-to-create-ciso-post-a-3599
6 Donovan, Fred; “Target Did Not Have CISO to Oversee Information Security Prior to Massive Breach,” Fierce IT Security, 10 March 2014, www.fierceitsecurity.com/story/target-did-not-have-ciso-oversee-information-security-prior-massive-breach/2014-03-10#ixzz32XoVSTKS
7 Kurzweil, Ray; The Law of Accelerating Returns, www.kurzweilai.net/the-law-of-accelerating-returns
8 Merriam-Webster, “Silver Bullet or Magic Bullet,” www.merriam-webster.com/dictionary/silver%20bullet
9 Security Innovation, an information security consulting firm, developed the Corporate InfoSec Maturity Path, using this approach.
10 Hollyhead, Andy; Alan Robson; “A Little Bit of History Repeating Itself—Nolan’s Stages Theory and the Modern IS Auditor,” ISACA Journal, vol. 5, 2012, www.isaca.org/journal
11 Damsgaard, Jan; Rens Scheepers; A Stage Model of Intranet Technology Implementation and Management, www.researchgate.net/publication/221409245_A_Stage_Model_of_Intranet_Technology._Implementation_and_
Management/file/50463515458b50827a.pdf

12 Anderson, Kerry; “The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture,” CRC Press, May 2014
13 Stephenson, Steve; “What Is Kaizen Tutorial?,” Graphic Products, www.graphicproducts.com/tutorials/kaizen/
14 Maurer, Robert; The Spirit of Kaizen: Creating Lasting Excellence One Small Step at a Time, 1st Edition, McGraw-Hill, 2012
15 The Intel Corporation introduced the concept of the “people perimeter” in the late 2000s to stress the criticality of individuals’ actions on the security of the enterprise. See Jackson, Brian; “‘People Are the New Perimeter’ Says Intel,” 2008, www.itbusiness.ca/news/people-are-the-new-perimeter-says-intel/12443
16 Alternate strategy for accomplishing a function when the primary way of doing something is not available. Cambridge Dictionaries Online, “Plan B,” http://dictionary.cambridge.org/us/dictionary/business-english/plan-b

Kerry A. Anderson, CISA, CISM, CGEIT, CRISC, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP, is an information security professional with more than 16 years of experience in information security and compliance. She is an adjunct professor of cybersecurity at Clark University (Massachusetts) and the author of numerous articles in professional journals and the book The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture. She can be reached at kerry.ann.anderson@verizon.net.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.