In my day job, I ponder all sorts of strange stuff. For example, here is a philosophical one: can one buy security operations maturity? By the way, note that when I say “security operations maturity”, the hidden word here is “process” – so in reality I speak of “security operations process and, to a lesser extent, people maturity” (but that’d be a mouthful…)
As you recall, I am a world-class maturity model nut, and many of our papers contain maturity charts (such as for SIEM, VM, IR and TI). Also, Gartner also has an overall maturity model for security, called ITScore for Information Security.
Common sense implies that maturity is something you need to … well… mature over time. Can you pay to have you wine mature faster? Probably not. So, the short answer is that “you cannot.”
OK, what about a longer answer? Perhaps there are some maturity boosters you can buy or otherwise obtain in exchange for money? Perhaps, these may count:
A. Advice – you can ask us at Gartner how to climb the maturity ladder faster, you can retain Gartner Consulting or other consultants that focus on maturing the state of your security practice. Advice of course has this peculiar property: somebody has to actually follow it to get value… If you don’t plan to follow our advice, don’t ask. And, before you build a plan to boost your maturity, it helps to objectively check where you are now in this regard.
B. Experience – you can hire people who know how to operate at higher maturity levels, and have them serve as catalysts for maturity increase. This, BTW, sounds like hard work – and it is.
Note that if you make a mistake or fall victim to vendor fraud, you can occasionally suffer from “cargo cult” maturity. For example, you can start calling your SOC “a hunting team” or you can buy tools commonly used by the elites without having any related processes developed. We do occasionally see organizations with an inflated view of their security operations maturity, whereas the facts on the ground……………
Finally, you can ruin your operations maturity for free or for money. Rumors of SOC decay (such as at some major twice-breached retailer or at some major breached financial company) were reported, and attributed to change from security to compliance mentality, desire to drive the cost down or push to mindlessly outsource. So, beware! You can’t easily buy it, but you can lose it.
All blog posts that mention security maturity:
- On Wild Security Maturity Overestimation
- Your Security Operations Maturity – and Your MSSP
- Jumping Security Maturity FAIL!
- How a Lower Maturity Security Organization Can Use Threat Intel?
- On SIEM Maturity Scale and Maybe On CMM Too
- More on SIEM Maturity – And Request for Feedback!
*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/05/22/you-cannot-buy-security-operations-maturity-but-you-can-fuck-it-up/