Facebook Tracking
June 11, 2019

Improving the Maturity of your Security Program

Category: Blog

CIOs, CISOs, SecOps, and IT teams of many organizations are often asked about their specific defensive capabilities. “How well would we handle Locky Ransomware or EternalBlue?”


Most are unable to reliably and objectively provide data-driven answers. Evaluating your own security maturity can help you understand your current capabilities and drive towards a more mature security program, providing your organization with further capabilities.


In this blog post, I’ll review a simplified set of maturity levels that can help you evaluate your security program and discuss how AttackIQ can enable your organization to grow more mature at each level.


Classic Maturity Models


Maturity models can provide guidance in evaluating the capabilities of your security program and there are a number of well-known maturity models accepted in the industry e.g CMM, HP SOMM, Hunting Maturity Model, Detection Maturity Model, C2M2, ES-C2M2, ONG-C2M2, Booz Allen Cyber Operations Maturity, Microsoft Critical Infrastructure Protection: Concepts and Continuum Framework, Community Cyber Security Maturity Model, some models are very broad and generic, some are very narrow and focused.  The right model varies based on the specific situation and many of these models can be adapted to fit your needs.


In the last five years, AttackIQ has worked with organizations at every level of their security maturity and we have found using a security validation platform enables an organization to improve the security maturity of their own program moving from ad-hoc to compliance-driven to ultimately a continuously optimized data-driven strategy.


Building a great security program requires continuous improvement, and the best way to improve a security program is to measure it. Maturity models provide the ability to evaluate your defensive capabilities (people, processes, technologies, and tools), and as your organization becomes more refined, your security operations will be more prepared and your infrastructure will be more resilient to the threats against your business continuity.


Most maturity models have levels 1-5, leaving enough flexibility for the model to be descriptive rather than prescriptive, allowing it to be customizable by most organizations. Below is a description of each level, described generically, combining elements from multiple maturity models. In addition,  I have added how AttackIQ through security validation can mature your organizational processes:



Maturity Level



Level 1 (Initial)

This is the starting point for the use of new or undocumented processes.

Processes are chaotic, ad-hoc, reactionary, little to no routine or repeatability when fighting fires, no metrics.


How AttackIQ helps you mature from Level 1 to Level 2:

At this stage, most organizations have tended to focus on simple detection like perimeter protection, anti-malware, and patch management. Some organizations at this stage also choose to build a vulnerability management program. The problem typically becomes that overwhelming, unclear order to fix vulnerabilities without the prioritization and understanding of the assessment of impact. AttackIQ can help, by focusing resources to mitigate the risks associated with the vulnerabilities that present the largest potential impacts and risk to your organization and further positions the security program towards continuous security validation (CSV).


Maturity Level



Level 2 (Repeatable)

Processes are documented sufficiently such that repeating the same steps may be attempted.

There are some processes that are repeated but the processes are not formally documented or defined.


How AttackIQ helps you mature from Level 2 to Level 3:

AttackIQ provides an organization the ability to take an inventory of all security capabilities,  test the assumption of each technology an/or process in a manual or automated fashion, and evidence of correct and incorrect assumptions.


Maturity Level



Level 3 (Defined)

Processes are defined and confirmed as a standard business process.

Processes are documented, repeatable, and followed by the team.


How AttackIQ helps you mature from Level 3 to Level 4:

As new technologies and processes are defined, AttackIQ creates a repeatable, automated method for monitoring and measuring their capabilities and effectiveness. The results are then mapped to various frameworks that can be discussed at a strategic level towards making key business decisions. The business can now look at the security program holistically, understanding the threats and overall risk and defending with evidence, the effectiveness of core capabilities and controls mitigating the risk.


Maturity Level



Level 4 (Managed and Measured)

Processes are quantitatively managed in accordance with agreed-upon metrics.

Previous processes are not only documented and repeatable, but managed, monitored, and measured.


How AttackIQ helps you mature from Level 4 to Level 5:

AttackIQ continuously monitors and measures current capabilities, identifying any gaps and providing data-driven metrics for decision makers and operators to optimize your holistic security program.


Maturity Level



Level 5 (Leading and Optimizing)

Process management includes deliberate process optimization and improvement.

Your team is proactive, measuring the effectiveness of the current program, identifying gaps, and using data-driven methodologies to constantly reduce risk.



When your security is in its infancy,  it can’t be expected to be able to answer questions related to real-world threats and if you’re prepared because you have not yet put the proper instrumentation in place to measure and validate your security controls. AttackIQ can help you mature at every level to improve your overall holistic security program so that you can feel confident to defend your security decisions and investments and be able to answer key questions as to the capability of your security program and its ability to defend against the latest greatest relevant threats.


Additional thank you to AttackIQ team members who helped provide input: Bob Failla and Tin Tam.

Tags: environmental drift , chain , security teams , environmental-drift-detection , sip , team resources blog , research publications , continuously validate effectiveness , protect shareholder value , correctly handling events , cybersecurity predictions , controls effectiveness optimize , bad actors , attack vectors , privacy policy , kill-chain apt , web gateway , cyber risk , security controls , email gateway , cyber defenses , latest blog post , tool , data exfiltration , cyber , security instrumentation platform , phishing awareness , security instrumentation , advanced-modules-operationalizing-sip , validation , critical business function , security , web application firewall , rationalize , business platform , supply , newsroom events partners join , free trial , solution briefs

About the Author

Co-Founder and CTO of AttackIQ

Stephan Chenette is a 20 year veteran of information security, servicing clients ranging from startups to multinational corporations as a pentester, security and risk consultant, solutions architect and head of research and development. He has presented at numerous conferences including RSA, Blackhat, ToorCon, BSides, CanSecWest, RECon, AusCERT, SecTor, SOURCE and PacSec.