No, I’m not asking how old you are or if you still laugh at fart jokes, but how mature is your security program? Traditional security isn’t working anymore, and its relevancy erodes as the business moves ahead without it.

Tower of Limes, by Darwin Bell

If you’ve heard me speak about information security maturity lately, you may have heard me compare our industry and function to Maslow’s Heirarchy of Needs. For those of you that may need a refresher, here are the basics (minus a few to stop some search engine hits). In order for a human to realize his full potential, he must have specific needs met. Those are:

  1. Physiological: food, water, sleep, movement toward stability
  2. Safety: security of body, employment, resources, morality, family, health, property
  3. Love: friendship, family
  4. Esteem: confidence, achievement, respect of and by others
  5. Self-Actualization: morality, creativity, spontaneity, lack of prejudice, problem solving, acceptance of facts

A human must go through these stages, in order, to reach full potential. I believe information security potential must go through similar stages. Those stages might be:

  1. Basic defense: firewalls, vulnerability detection (through scanning), patch application
  2. Compliance and depth of defense: ability to demonstrate compliance to point initiatives (non-programmatic), build basic layers of defense (DMZ, application stacks), beginning to merge the physical and electronic security worlds
  3. Risk-based security: ability to adjust controls based on current risk/threat scenarios, not all vulnerabilities are equal, modify posture to be heavy in some areas, lighter in others
  4. Business-Oriented: the equivalent of self-actualization (and we got there in only four steps!) whereby security exists as an extension of the business, in many cases consumed transparently, enabling secure business growth.

Our experience says that most companies are sitting somewhere in the second tier of this security maturity model—but not congregated around one point. Most companies have to deal with some level of compliance, and do so with varied success.

Companies that move toward business-oriented security don’t necessarily constrain themselves based on resources. Both big and small companies are all over the maturity model with some small companies being quite self-actualized and large ones barely handling compliance.

In order to mature, there are a few things we need to do:

  • Embrace automation. Since you are already tasked to do more with less, stop chasing things around on paper or in spreadsheets. Automate your ability to deal with compliance and the basics of information security.
  • Agile & risk-based controls. Your ability to demonstrate agility based on deep understanding of risk and the external and internal threat landscape is critical to your progression. Realize that you have more than one tool in your bag so that not everything looks like a nail (because your only tool is a hammer, for example).
  • Contextual knowledge on events. You must be able to see events in the context of your environment (internal and external) as well as how that relates to the business. Without true business context, you cannot possibly scale and mature.
  • Functional GRC. A GRC framework can’t exist in spreadsheets and only in support of a compliance initiative (that’s step 2, remember?). A functional GRC framework will drive your security strategy from your business operations and goals.

So, readers out there, what’s your security maturity? Do you fall in step 2? Have you started self-actualizing? If you are stuck, what do you think has to happen in order to move the company forward?

This post originally appeared on