Security Executive Council developing a maturity model for corporate security

Maturity models are commonly used in many industries and corporate functions, including IT, supply chain, HR, enterprise risk management and marketing. However, no maturity model exists for corporate security.

“A maturity assessment defines where your program falls on a spectrum from reactive or informal to optimized,” said Kathleen Kotwica, SEC EVP and chief knowledge strategist, in a prepared statement. “The security domain indicators we use to construct the assessment (for example, governance and performance measurement) are based on years of research with hundreds of security practitioners. These assessments look at where security programs fall on a continuum and can help close the gap toward their desired state and consistency of performance.”

The SEC says its maturity assessments classify, rather than rank, program maturity. “An organization that gets a lower score on a maturity model assessment is not necessarily providing less effective security; a number of elements—including industry, corporate culture and risk appetite—influence the level of security desired,” said Bob Hayes, managing director of the SEC. Instead, the assessments are a way to determine the function’s ability for continuous improvement.

“Capability is about proficiency, competence and the confirmed skills to execute essential tasks. Maturity is about reliability and indicates levels of acceptance and established practice,” said George Campbell, SEC emeritus faculty and former CSO of Fidelity Investments. “A mature process has proven practices that have consistently delivered valued results to the organization. Understanding the current levels of proficiency and acceptance of security processes within an organization should be an essential step in building and maintaining a Corporate Security business plan.”

The SEC’s initial corporate security maturity assessments focus on five security program areas: Access Control and Physical Security; Global Security Operations Center; Investigations; Threat Management and Safe and Secure Workplaces; and Uniformed Officer Services.

“The goal is to provide corporate security practitioners a tool that can be applied relatively quickly, but that retains enough of the core of the maturity model process to provide actionable results,” said Kotwica. “As the SEC gains input and feedback from our community, we will refine and adjust the assessments to increase the value they provide to security practitioners.”

Security leaders who take the assessments will receive both their maturity score and a summary report that outlines peer comparisons.

The five assessments can be found here.