“Cybersecurity is the leading corporate governance challenge today, yet 87% of C-suite professionals and board members lack confidence in their company’s cybersecurity capabilities. Many CISOs and CSOs focus on implementing standards and frameworks, but what good is compliance if it does not improve your overall cybersecurity resilience?” – The CMMI Institute

Many organizations have Information Security Programs (ISPs), but many executives and boards do not know how to measure progress within these programs. They are therefore hesitant to believe any investment in technology will mitigate perceived or even unknown risks. Some organizations use regulated compliance standards such as PCI DSS or AICPA attestations as measures of their ISP. However, these standards do not fully cover the enterprise risk environment because they only focus on specific areas of risk or generic tenets of security.

Due to the inability to measure cybersecurity and show reportable results, management is hesitant to fund something they cannot quantify. Therefore, information security leaders find it difficult to acquire funding to cover critical gaps in risk mitigation. Using compliance is the only available solution–however inadequate.

Introducing CMMI

Though CMMI is not an exact science, it is a way to present a quantifiable level of risk within the different elements of the ISP. CMMI can be a tool to provide the justification for necessary investment in information security.

Many organizations confuse information security with information technology. New solution requests are viewed as enhancements or wish list items. For example, requests for additional full-time employees are looked upon as operating expense costs instead of enhancing the ISP. The difference is that risk is related to those requests and ultimately are reflected in the CMMI. There is a direct correlation between people, process and technology with the CMMI.

The History of CMMI

Information Systems Audit and Control Association (ISACA) (Read more...)