used with permission from HP Technology at Work
We’ve all heard it time and again: You can’t manage what you can’t measure—and it’s especially true for enterprise security. If you’re like most organizations, your security posture can use some improvement, as HP Enterprise Security affirmed in its State of Security Operations report that found:
- Nearly a quarter of assessed security operations centers do not meet the minimum requirements to provide consistent security monitoring.
- Only 30 percent of assessed organizations are meeting business goals and compliance requirements.
Those numbers are especially worrisome in light of further findings in the report—since 2010, the cost of data breaches has ballooned 78 percent, and the time it takes to resolve a cyber-attack has increased 130 percent. The report, based on more than 90 assessments of 69 security operations organizations worldwide, surmises that “there is a clear need for improvement in the effectiveness of security operations to limit the impacts and speed the resolution of such events.”
The report is not all doom and gloom, as it includes a new scale that enterprises can use to assess and measure their level of security maturity. HP’s Security Operations Maturity Model (SOMM), focuses on a successful, mature security intelligence and monitoring capability based on variables such as people, process, technology, and supporting business functions. The scale is a modification of the Capability Maturity Model for Integration (CMMI), a process improvement program that provides organizations with the elements of effective processes, developed by members of industry, government and the Carnegie Mellon Software Engineering Institute (SEI).
The SOMM uses a 0-5 scale similar to the CMMI model, with a zero representing a complete lack of capability and 5 representing a capability that is consistent, repeatable, documented, measured, tracked, and continually improved upon.
SOMM levels—how does your enterprise score?
Answer the following questions to get a rough idea where your business falls on the Security Operations Maturity Model spectrum
The report explains that even organizations lacking a formal threat monitoring team typically score “between a level 0 and level 1, because even an organization with no formal full-time equivalent (FTE) or team performs some monitoring functions in an ad-hoc manner.” As a rule, an organization with a team focused on threat detection scores between a 2 and 3. The world’s most advanced security operations centers (of which there are very few) typically receive an overall score between a level 3 and level 4.
| Question | If “yes”, you’re at level: |
|---|---|
| Does your enterprise lack security operational elements? | 0 – incomplete |
| Are the bare minimum requirements to provide security monitoring met—but nothing is documented and actions are ad hoc? | 1 – initial |
| Are business goals met? Are operational tasks documented, repeatable, and can they be performed by any staff member? Are compliance requirements met? Are processes defined or modified reactively? | 2 – managed |
| Would you characterize your security operations as well-defined, subjectively evaluated, and flexible? Are processes defined or modified proactively? | 3 – defined |
| Are your security operations quantitatively evaluated, reviewed consistently, and proactively improved utilizing business and performance metrics to drive the improvements? | 4 – measured |
| Have you implemented an operational improvement program to track any deficiencies and ensure that all lessons learned continually drive improvement? | 5 – optimizing |
Surprisingly, the optimal score for a modern enterprise is not level 5, but level 3 (defined), as it relies on a complimentary mixture of agility for some processes and high maturity for others. Managed security service providers (MSSPs) should aim for a maturity level of 4 (measured) so they achieve consistency in operations and better avoid potential penalties incurred for missed service commitments. Beyond that, HP found that aspiring to level 5 (optimizing) leads to “overly mature operations result in stagnation and rigidity that results in a low level of effectiveness. Processes are rigid and less flexible and significant overhead is required to manage and maintain this maturity level, outweighing the benefits achieved.”
To learn more about the HP Security Operations Maturity Model and getting a detailed assessment for your enterprise, go to the HP Security Intelligence and Operations Consulting overview.
