The Forrester Information Security Maturity Model

After an in-depth survey of IT security and risk professionals, as well as our ongoing work with leaders in this field, Forrester recognized the need for a detailed, practical way to measure the maturity of security organizations. You asked, and we responded. I'm happy to announce today we published the Forrester Information Security Maturity Model, detailing 123 components that comprise a successful security organization, grouped in 25 functions, and 4 high level domains. In addition to the People, Process, and Technology functions you may be familiar with, we added Oversight, a domain that addresses the strategy and decision making needed to coordinate functions in the other three domains.

Our Maturity Model report explains the research and methodology behind this new framework, which is designed to help security and risk professionals articulate the breadth of security’s role in the organization, identify and fix gaps in their programs, and demonstrate improvement over time.

What makes the Forrester Information Security Maturity Model work?

  • It’s objective. The detailed characteristics required to meet each maturity level are based on extensive research and best practices.
  • It’s prescriptive. Achieving the next level of maturity for each of the 123 components requires very specific actions.
  • It’s process-oriented. The maturity levels are based on how organizations approach security decisions and implementations, not the implementation of the latest and greatest security technologies.
  • It’s modular. We made this model as comprehensive as possible, but we recognize that many organizations will choose to assess just a specific subset of functions at any given time.
  • It’s uncomplicated. Security teams must constantly respond to auditors, regulators, business partners, and other stakeholders with different types of assessments. This model is based on high-level assessment data and observations, not detailed data collection.

This was a collaborative effort involving Forrester’s entire Security and Risk team. I provided a lot of the coordination as well as content in the governance, risk, and compliance areas, but relied on my cohorts to fill in the detailed criteria for the other aspects of the model.

Feedback from customers so far has been very positive, but as always, we encourage your comments and questions. Many thanks to those of you that have already offered input.