Skip to Content

The ATC

Help Center

ResearchMaturity ModelSecurity OperationsCybersecurity Risk & StrategySecurity Transformation

WWT Research • Maturity Model

• January 11, 2024 • 21 minute read

Security Maturity Model

How to assess the security posture of your organization: A step-by-step guide for CISOs to build
alignment, reduce risk and deliver business value.

This report was originally published in 2022

The need to mature cybersecurity

As the financial and reputational costs of a data breach continue to reach new heights, cybersecurity
is top of mind for leadership across every industry. And yet, as cybersecurity's profile rises, so does
its complexity. New solutions and vendors appear on the market every day. There never seem to be
enough skilled resources, and cyber attackers are exposing new vulnerabilities faster than ever.

CISOs can no longer focus strictly on developing technical capabilities and protecting their
organizations. Executives and boards are looking to CISOs to make investments that drive growth
with a holistic security framework. No security program can fully eliminate risk or human error, but a
mature approach to cybersecurity can mitigate the risks that pose the most danger to organizational
objectives and success.

Hear our report authors break down the essentials of security maturity Watch recording

What is a cybersecurity maturity model?

A security maturity model identifies distinct levels that can be used to show progression toward best
practices across your security program. It outlines key steps to establish processes that are
repeatable, thorough and have the potential for continuous improvement.

A maturity model also helps define and illustrate organizations' posture relative to compliance and
regulatory needs and, more importantly, reflects their current operational capabilities. It's important
to note that each organization's risk scenario is different, and the level of maturity across the
organization is based on how well it implements security controls, resources and processes.

Why use a cybersecurity maturity model?

A cybersecurity maturity model defines a roadmap for organizations to assess where they are in their
security transformation and clarify expectations across the organization. The model provides an
objective tool to identify gaps and areas to improve, as well as a systematic approach to measure
effectiveness of security tactics and their impact on IT and business operations. It's also a valuable
tool to support and improve cybersecurity investments.
How does a maturity model help secure your business?

As technology use grows to support the business, so does security risk. As organizations take on the
business and IT challenges of digital transformation, they need to assess their overall security
maturity before, during and after each element of the transformation lifecycle. A security maturity
model can help CISOs measure, communicate and visualize improvements and investments in the
security program.

In this report, we walk through different levels of cybersecurity maturity to give CISOs, CEOs and CIOs
the confidence to improve their security postures wisely while maximizing resources. When maturity
is developed in this iterative fashion, based on where you are today and what's most important for
your organization, you will be empowered to create a culture of continuous improvement to meet a
constantly evolving risk landscape.

WWT's security maturity model

This model is designed to help organizations grow and mature their security capabilities related to
people, processes and technology. The goal is to help you better understand the reality of where
your organization stands today and the steps you should take to level up.
Defining each stage of security maturity

Every organization's journey is unique. We help our clients establish a baseline for security maturity
based on five general stages. Then we work with them to build comprehensive plans to develop
those capabilities based on long-term goals paired with business and IT requirements.

Level 1 – Ad-hoc and initial: Fragmented and siloed security efforts across the organization;
reactionary risk mitigation; no repeatable or defined security policies, processes or roles; and ad-hoc
capabilities and skillsets with point solutions.

Level 2 – Established and current security: Security capabilities are partially achieved; procedures
and technical requirements are partially documented; basic security architecture is developed; and
policy, compliance audits and remediation are consistent.

Level 3 – Defined and approved security: Roles and responsibilities are defined and assigned;
personnel are trained and accountable; policies and procedures are documented, repeatable and
aligned to strategy; and technology integration is defined and implemented.

Level 4 – Actively managed security: Metrics and automation are implemented; security policies and
procedures are measured, enforced and reviewed; staff performance and effectiveness of security
capabilities are measured and evaluated; and there is strategic alignment on security across the
enterprise.

Level 5 – Optimized and innovating security: An aspirational culture of continuous risk management
and improvement; prioritized risk management for strategic key performance management;
governance body is established; information security and risk management programs are approved
by the board; and DevSecOps integrations, efficacy and efficiencies are achieved.

Level 1: Ad-hoc and initial security

Organizations at this level react to security incidents as they arise without awareness of what threats
pose the greatest risk. There is little or no proactive risk mitigation. Security processes, policies and
roles aren't formally documented. The organization may have point solutions but lacks the
capabilities and documentation to make the tools fully functional or repeatable. Operations are ad
hoc, manual and fragmented within the security team and across the organization's business units.

Risks of ad-hoc and initial security

 Organizations are at risk of failing compliance audits, leading to legal penalties, fines and
reputational damage.

 Lack of an underlying security framework makes it difficult to identify security gaps and areas
for improvement. The organization has no guide for security program development.

 Lack of documentation creates organizational inefficiencies. Too much staff time is spent on
manual processes that aren't repeatable or automated.

 The security team lacks accountability for ensuring security measures are in place and are
effectively protecting the organization's assets.

 Existing solutions may have overlapping capabilities, creating inefficiencies and potential
security gaps.

 The security toolset may not be fully utilized or operationalized due to lack of skills among
staff and lack of underlying security architectures.

Moving past Level 1

By taking the following steps, organizations can move from an ad-hoc and initial security presence
(Level 1) to established and current security (Level 2).
1. Begin to identify your security stakeholders across the organization. CISOs should start to build
relationships with the CIO and CEO. Then, focus on quick wins. Consider product owners of key
business initiatives that intersect with cybersecurity. For example, is the application development
team working on projects published to the internet that could have security gaps? Do you
understand how human resources onboards and offboards employees and manages access? Do you
know where HR data is stored? Answers to these questions will help you establish core relationships
and understand the greatest needs across the organization. WWT's Real Risk model outlines the
fundamentals of cybersecurity and key areas to start with depending on industry vertical and
organizational needs.

Before maturing security programs, organizations must have a solid understanding of the
fundamentals of cybersecurity. WWT's Real Risk model outlines key areas to start with depending on
industry vertical and organizational needs.

2. Ensure your organization is adhering to all applicable regulatory compliance

requirements. Before you can mature your organization's cybersecurity program, you must first
make sure you are compliant with local, state, federal and global regulations pertaining to data
privacy and cybersecurity.

Factors that dictate which regulations apply to your organization include:

 The type of data you collect and store.

 Whether you're a government entity or in private industry.

 Whether you're publicly traded or a private company.

 Where your company does business and collects data.

If you store personal health information (PHI), personal identifiable information (PII), or credit
card/PCI data, you may be subject to:

 General Data Protection Regulation (GDPR): Data protection and privacy law that applies to
any company that collects data related to citizens in Europe.

 Health Insurance Portability and Accountability Act (HIPAA): Law that pertains to how
personal health information is protected.

 Payment Card Industry Data Security Standard (PCI DSS): Dictates data security standards
for the payment industry.

These regulations are nuanced, subject to change, and may require regular risk and vulnerability
assessments. Compliance can be overwhelming but neglecting this essential step can leave
organizations open to legal liability.

3. Select a best practice security framework. Best practice security frameworks are developed to
align to particular industries or the public sector. They give Level 1 organizations the foundation to
systematically assess, validate and formalize risk management programs as they build them from the
ground up. They also provide a common language and understanding to discuss cybersecurity
initiatives with stakeholders both within security and IT teams and across the organization.

There are dozens of global security frameworks. Organizations should choose a framework that best
aligns with their unique risks and any supporting data across your industry vertical. Below are some
of the most common best practice security frameworks:

 National Institute of Standards and Technology (NIST): NIST's Cybersecurity Framework

(CSF) is built around the core functions of identify, protect, detect and respond, and uses
non-technical language that can be understood across the organization. Federal government
agencies are required to comply to its security controls.

 Center for Internet Security (CIS): A nonprofit that created a widely used set of 18 security
controls to defend against cyber threats and operationalize security across the organization.

 International Organization for Standardization ISO 27001 and 27002: A broad set of security
controls and sub-controls created by the International Organization for Standardization (ISO).

 Cybersecurity Maturity Model Certification (CMMC): An assessment framework required for

Department of Defense contractors.
4. Begin to familiarize yourself with security controls and start to identify gaps. For the purposes of
this report, we will refer to the 18 critical security controls from the Center for Internet Security (CIS).
These controls and sub-controls provide safeguards to protect against specific risks and offer a
starting point to create repeatable processes. These controls can then be adjusted and mapped to
regulatory and compliance frameworks as your security program matures. Start with the basic
controls that will give your security program a solid foundation. Then, depending on your
organization's unique priorities and risks, work toward mastering each of the functional and
organizational controls.
Security controls from the Center for Internet Security.

Level 2: Established and current security

Organizations at this stage have a security framework in place that guides program development.
They are meeting some of the 18 security controls, but they may not be consistent across the
organization (e.g., some regions/locations may be meeting certain security controls while others
aren't). Security capabilities are partially achieved, and processes are partially documented. Technical
requirements are documented, and a basic security architecture is developed. Policy and compliance
audits and remediation are consistent. Most regulated industries are required to operate at a
minimum of Level 2 maturity.

Risks of established and current security

 Lack of fully trained and accountable staff means not all necessary security disciplines have
full coverage, creating security vulnerabilities. Employee turnover could exacerbate these
vulnerabilities.

 Lack of fully documented and defined roles and responsibilities will increase time to backfill
positions, creating additional gaps in security coverage.

 Business still faces significant security risks at the employee level (e.g., phishing attacks and
social engineering) without a training program for all employees within an organization.

 Security team does not have documented and approved playbooks to follow in case of
breach or attack.

 Existing policies don't align with strategy, meaning the most important assets or objectives
are not receiving adequate protection. Security measures are not driving business outcomes.

 Lack of full awareness of risks and technical debt creates inefficiencies when integrating new
tools with legacy technology.

 The organization may not meet audit requirements.

Moving past Level 2

By taking the following steps, organizations can move from established and current security (Level 2)
to defined and approved security (Level 3).

1. Strengthen key relationships. Building on the relationships established in Level 1, ensure there is a
routine cadence of communications with key stakeholders. Have regular dialogue with executives to
understand their priorities. Ensure you have buy-in from leaders across business units and the
board.

2. Assign roles and responsibilities. Assess what skillsets you have on your staff and determine what
data you can use to measure performance. Address any gaps in necessary skill sets needed to mature
your security program and consider formalizing career paths for security practitioners.

3. Assess your security controls. Benchmark your current state based on the 18 CIS controls (or
whichever framework you've chosen for your organization). Identify which controls are repeatable,
then gather any existing documentation. Begin documenting processes that already exist.

4. Define target state. Decide which controls are the most important based on individual risks to
your specific organization – prioritize these as you mature your security program.

5. Begin mapping controls to the security framework you selected. Using your chosen security
framework, develop a scoring mechanism that allows you to assess the maturity of each control.
Determine any gaps and create an objective for your security program. This will give you a roadmap
to reduce and remediate risks created by those gaps.

6. Establish awareness of security threats. Understanding your risk posture will highlight key areas
for the CISO to invest time, money, energy and effort. Consult databases, such as those from MITRE
and NIST, that track global threats, including common vulnerability enumeration (CVE). These
databases allow you to identify a vendor or technology solution's top vulnerabilities over a set time,
what platforms these vulnerabilities sit on and where to apply security patches.

Level 3: Defined and approved security

Level 3 is considered industry best practice. Organizations at this level have defined and assigned
roles and responsibilities. Security staff members are trained and accountable. The team has proper
coverage in necessary disciplines and can quickly backfill positions and cover core responsibilities in
the case of employee turnover. Security training exercises are implemented to educate all company
employees on the basics of cybersecurity to prevent phishing, social engineering, etc.

Policies and procedures around core security functions and disciplines (e.g., identity and access
management, incident response) are written, approved and align with the overall strategy of the
organization. Security controls are adequate to meet compliance audit requirements, and basic
governance has been established. There is awareness of supply chain risks and insider threats.

Technology purpose and intent are defined, and solutions are implemented in a subset of the
business. An architectural diagram of workflow and data flow is established. There is a process for
managing legacy technology and integrating new technology into the existing technology stack.
There is awareness of technical risks and technical debt when implementing new business or security
initiatives.

Benefits of defined and approved security

 Security teams can onboard new technology faster due to an understanding of technical risks
and existing technical debt.

 Compliance risks have been substantially reduced with documentation of applicable security
controls and the establishment of basic governance.

Moving past Level 3

By taking the following steps, organizations can move from defined and approved security (Level 3)
to actively managed security (Level 4).
1. Strengthen your proactive security culture and evolve with the business. Meet with key
stakeholders regularly (quarterly or monthly) to discuss and plan based on the current status of the
business as well as upcoming projects and initiatives. Work with IT leaders to discuss technology that
will support this business growth. Begin exploring newer technologies, methods and toolsets that
can increase speed and accuracy.

2. Continue to tighten technology and security processes. Look for areas where automation can
improve operational processes and increase efficiencies (e.g., leveraging AI/ML across cloud, incident
response, database management, asset control). Are there areas where team members are repeating
tasks? Is there a script you could write that automatically completes this task to make it a repeatable
process that's faster and frees up staff time? Identify any weak links in processes.

3. Begin to develop a strategy for insider threats and supply chain risks. The SolarWinds and Target
supply chain breaches were a wakeup call for the cybersecurity industry. Organizations must
proactively manage the third-party risks introduced by the people, processes and technologies
throughout your supply chain. Start with a comprehensive review of all vendors, tools, tactics and
procedures by appropriate domain leaders to provide the best possible strategic vision, direction and
priorities.

4. Plan for future security threats. Begin the process of threat modeling to help identify potential
weaknesses from a technical perspective. Consider using an ethical hacker team to try to penetrate
the environment to discover vulnerabilities. Or, explore a purple team exercise framework which
combines red team tactics (simulating bad actors) with blue team methods (employing defensive
measures) to continually harden the organization's cybersecurity.

5. Ensure your organization is still in compliance. Regularly examine whether there are further
compliance requirements that need to be met as the business grows.

Level 4: Actively managed security

Organizations at this level have a security-centric culture across the enterprise that's driven by
executives and the board. There's a broad understanding across business units that all employees are
responsible for keeping the business environment safe to protect critical data. Security staff
performance is predicted, measured and evaluated regularly.

Career paths on the security team are well defined. A plan is in place to develop security
practitioners and engineers to progress in their skillsets and career. An employee training plan is fully
documented and regularly recurring.

Business and security risks – both current and future – are understood and transparently measured,
evaluated and predicted. Some accepted risk may be known and tolerated in order to further
business initiatives.

Policy compliance is measured and enforced, repetitive processes are automated, and output is
measured.

The CISO has a formalized document that outlines security policies, procedures and strategy aligned
to IT and business strategies. Metrics are defined to measure and monitor the security program for
effectiveness. Short-, medium- and long-term goals and deliverables are defined.

There is a board-approved information security and risk management program in place. The CISO
meets with the board of directors quarterly to give briefs on current risks, technical debt and
potential impacts to business. CISOs will also need to determine and justify the additional
security resources needed to support business growth initiatives.

Benefits of actively managed security

 Consistently meeting compliance and regulatory requirements and successfully passing

audits on a regular basis.

 IT debt is managed.
  Mature processes and procedures result in spending less on overlapping technologies and
getting fuller protection from your security stack.

 Potential for outsourcing portions of your cybersecurity for efficiency and cost savings.

Moving past Level 4

By taking the following steps, organizations can move from actively managed security (Level 4) to
optimized and innovating security (Level 5).

1. Formalize your governance body. Establish a formal governance body through monthly or
quarterly meetings with executives. This group will determine whether the organization is governing
security process correctly in terms of overall organizational strategy, staff and technology
investments. It also will plan for future security needs as new technology, business initiatives or
mergers and acquisitions are brought forth.

2. Think creatively about your hiring process. The shortage of security practitioners means it's a
competitive hiring market. Consider looking for mid-career professionals in different fields who are
interested in cybersecurity. Then leverage your internal or external training resources to build their
cyber skills. Their backgrounds can create interesting synergies to strengthen particular cyber
disciplines. For example, a practicing lawyer looking to make a career change could bring expert
insight and add a different perspective to your policy and compliance process.

3. Focus on automation and advanced capabilities. Inspect documented processes established in

prior levels of maturity to identify any processes that are deviating from your security standards. For
example, if a new firewall rule is applied, have a process in place to identify and notify the team to
adjust as necessary for consistency with your policies.

Level 5: Optimized and innovating security

Optimized and innovating security programs are aspirational, but attainable. Organizations at this
stage have a high level of efficiency across people, process and technology with a continuous risk
management and improvement program in place. A governance body is established and provides
oversight. The organization's board has a mature understanding of the security program and receives
outside counsel from security experts to understand global security threats and trends.

Benefits of optimized and innovating security

 Current, potential and future risks are proactively managed.

 Compliance regulations are consistently met.

 Security operations effectively and efficiently manage integrations of legacy technology with
new technical solutions.

 A risk-aware culture means leadership is considering cybersecurity when executing business

goals.

 The security team has a seat at the table when business and technology initiatives are
launched.

Maintaining Level 5

By taking the following steps, organizations can maintain optimized and innovating security (Level 5).

1. Keep working hand-in-hand with your board. Security leadership should regularly present to the
board and be present in both business and security decision making. Consider engaging external
counsel to brief the board on the state of cybersecurity and share perspective on current and
potential risks within the industry.

2. Continue working hand-in-hand with your governance body. Ensure your organization has a risk
committee that meets regularly with members from across all business units. This committee will
help maintain and review the organization's risk threshold so business leaders can make decisions
based on known and accepted risk versus reward.

3. Create and maintain well-defined security playbooks. These should outline specific courses of
action (COAs) for cyber operations, IT teams and business leaders to follow during a security
incident, whether it be a ransomware attack or natural disaster. Regularly conduct tabletop exercises
simulating real-world breaches of the organization's most critical assets.

4. Regularly update your incident response communication plan. The plan should outline
expectations for communications to maintain business continuity in case of a data breach. This
essential document should detail exactly who should contact media, human resources, government,
executive leadership and the board.

5. Drive toward Agile development and a DevSecOps approach to delivering

capabilities. DevSecOps brings together development, security and operations teams and toolsets. If
your organization is leveraging the DevOps framework, take it a step further by adopting a
DevSecOps mindset to ensure that security is built into software rather than bolted on at the last
minute.

6. Drive toward a continuous compliance model. Move beyond point-in-time monitoring to identify
real-time security weaknesses and compliance issues as they occur. Using integration and
automation techniques, maintain a continuous feedback loop to automatically assess the
organization's alignment to regulatory requirements and policies.

Get started today

To be effective, a cybersecurity program must continually evolve and improve. The challenge today is
getting an objective view of how secure your organization is and the best way to grow its maturity
while being agile enough to adapt to new technology and business trends.

To validate and measure efforts, many cybersecurity organizations count the number of
vulnerabilities they've closed in a given time period, or report compliance with regulatory or industry
standards. However, none of these approaches accurately indicate your organization's maturity, nor
do they provide a framework for improvement. To measure and improve, cybersecurity organizations
must adopt a maturity model.

Depending on where your organization is on its security transformation journey, there are several
next steps you can take.

1. Request a customized version of this report. Using information gathered in a short briefing,
our security experts will develop a more personalized report that helps you identify where
your organization sits on our maturity model.

2. Request a cybersecurity program assessment. WWT's security experts can provide a detailed
analysis to create roadmaps that increase your security program maturity and maximize the
use of people, processes and technology to reduce risk while increasing efficiencies.

3. Contact a security expert today to schedule an enterprise security risk assessment and work
with WWT experts to assess your current security tools portfolio and develop a prioritized
list of recommendations for improving your security posture.

How to engage

Reach out to your WWT Account Team or contact us to request an assessment or workshop or to
learn more about how WWT can support your organization with your cybersecurity initiatives.

Final thoughts

Cybersecurity maturity hinges on the ability to make iterative improvements to people, processes
and technology. Only when these improvements are made together can cybersecurity become an
enabler for business growth.

The maturity model in this report can serve as an important source of truth as CISOs, CEOs and CIOs
track their security progress. As organizations move up the maturity model, they will be better
equipped to address a shortage in cybersecurity experts and a fragmented technology market, with a
clear line of sight into what improvements will benefit the business through cost savings and more
efficient use of resources and time.

Security encompasses nearly all technology disciplines. It can be easy to focus on growing capabilities
in just one of them. While specific cyber capabilities are important, a more holistic approach to
security maturity will allow organizations to mitigate risk across the entire enterprise, and as a result,
lead to a culture where business and security work together.

Keep up with the latest cybersecurity news and trends.

Follow security transformation

WWT Research

Insights powered by the ATC

This report may not be copied, reproduced, distributed, republished, downloaded, displayed, posted
or transmitted in any form or by any means, including, but not limited to, electronic, mechanical,
photocopying, recording, or otherwise, without the prior express written permission of WWT
Research. It consists of the opinions of WWT Research and as such should be not construed as
statements of fact. WWT provides the Report "AS-IS", although the information contained in Report
has been obtained from sources that are believed to be reliable. WWT disclaims all warranties as to
the accuracy, completeness or adequacy of the information.

Comments

Follow this conversation

Leave a comment

0 / 3000

JG

Jeff Gray

Oct 16, 2023 10:30 PM

Good stuff! Love the approach!

Like

Reply

Christopher Cross

Oct 15, 2022 8:44 PM

O love it

Reply
33

Contributors

Kris Carr
Director, Global Security Consulting Services

Emily Velders

Content Marketing Manager

Jill Cochrane

VP & General Manager, Solution Security

In this report

1. The need to mature cybersecurity

1. What is a cybersecurity maturity model?

2. Why use a cybersecurity maturity model?

3. How does a maturity model help secure your business?

2. WWT's security maturity model

3. Level 1: Ad-hoc and initial security

 4. Level 2: Established and current security

5. Level 3: Defined and approved security

6. Level 4: Actively managed security

7. Level 5: Optimized and innovating security

8. Get started today

9. Final thoughts

 About

 Careers

 Locations

 Diversity & Inclusion

 Help Center

 Sustainability

 Blog

 News

 Press Kit

 Contact Us

© 2025 World Wide Technology. All Rights Reserved

 Privacy Policy

 Acceptable Use Policy

 Information Security

 Supplier Management

 Quality

 Cookies