CMM for Security Awareness?

One of the biggest issues with security awareness is knowing what it is you are trying to achieve. It’s not enough to just run an awareness program – you have to be trying to drive an outcome.

Over a period of time I have defined in my own head a kind of CMM for security awareness. It’s something that helps me think about how mature is an organisation in its security awareness culture, which in turn helps me guide an awareness program to continually improve that culture.

It’s not really a CMM in the sense of measuring maturity process – it’s more looking at the output of all the awareness processes than measuring the processes themselves. But it’s a nice analogy that works for me.

A good CMM always has five levels (paraphrasing from the wikipedia article referenced above) :


  1. Initial – ad-hoc process
  2. Repeatable – Trying to do the same thing every time
  3. Defined – Documented as a standard business process
  4. Managed – Good metrics that measure success of the process
  5. Optimising – ongoing improvement

To make use of this, I try to put myself in the shoes of Fred Bloggs, some person in the organisation (not in the Information Security team) and I measure culture using statements to represent the way Fred is thinking:

  • Initial – “I know there is a security team and they’ll look after all that security stuff. I don’t need to do anything”.
  • Repeatable – “I’ll drag the information security person into this conversation – he/she will worry about the security requirements”.
  • Defined – “I know what the security requirements are, but I’ll drag the security team in anyway as they will do the ‘fighting’ for what is required”.
  • Managed – “I know the security requirements and I’ll fight for them because we need them. I’ll use the security team for final sign-off or where I have to escalate”.
  • Optimising – Security requirements are just inherent in everything people do.

Of course the above is quite a naive way of looking at things in some ways, but a key part of an awareness program is understanding where you are and what you are trying to achieve. By knowing roughly where your organisation culture sits and what you want to take it to, you can start to taylor your security awareness program to achieve that next step.

One last thing to note – different parts of an organisation will be at different levels, and probably should be. Having an IT team that is higher up the scale than the rest of the organisation might not be a bad place for the company you are looking at. And of course that’s another key part of awareness – understanding there are different messages and results that you want for different groups.

Leave a Reply