Security maturity: How to benchmark your status and focus on strategic objectives

Avatar for Jay BarbourBy Jay Barbour|Dec 17, 2019|7:30 am CST

For many enterprises, cybersecurity today is often an overwhelming best-effort game of whack-a-mole, reacting to a constant barrage of only the most visible security threats and incidents, and then hoping what you don’t see isn’t hurting you. Most companies are barely keeping up with the latest crisis, rarely catching a breath to figure out which strategic objectives could turn this situation around. And yet, breaking this vicious cycle is critical.

IT leaders need to implement more effective security risk management practices, but taking even the first step is not always easy. Understanding what your peers are doing is often helpful. Here’s our security maturity guide to help you benchmark your status and focus on more strategic security investments.

Security maturity model

Security maturity models help organizations quickly see where they are in the continual journey of security improvement. Masergy worked with a leading security analyst to create this maturity map, which is designed to aid you in self-assessment and strategy development.

Limited security: Undeveloped leadership, awareness, and response

It’s not uncommon to be “security limited,” but it brings with it elevated risk. Companies in this segment are typically small to medium-sized businesses (500-1500 employees) and are characterized by:

  • Limited visibility and awareness into security threats
  • Reactive strategies that respond to basic requirements
  • Security leadership that falls under the CIO
  • A need to implement or improve the security program
  • A need for security skills
  • Concerns for due diligence on a small budget
  • Concerns regarding solutions that are easy to deploy and manage

IT leaders who fit this segment are aiming for better awareness and visibility into security risks, and must do so by bringing in needed security skills. These organizations are just starting to implement a formal security program, and continual improvement is critical. Key concerns are achieving goals under the limits of a small budget, and ensuring solutions are easy to deploy and manage, avoiding any additional workload.

Intermediate security: Developing leadership, awareness, and response

Companies in this segment are characterized by:

  • Good visibility with awareness across some IT environments (the network, cloud assets, and/or endpoints)
  • Proactive strategies that tactically and preventatively address current issues
  • Security leadership that falls under a CISO with a small team
  • A need to secure cloud environments
  • A need to optimize existing security investments
  • Concerns for an overworked security team
  • Concerns regarding risk management on a limited budget

The Intermediate segment has a CSO or CISO with a small team and is focused on leveraging security as a business enabler, including secure cloud initiatives. Also, optimizing existing security tools as investments is important, as executives aim to augment current capabilities rather than rip and replace them. Key concerns are to ensure formal risk management practices stay within an acceptable range and to reduce the workload on existing security personnel.

Mature security: Evolving leadership, awareness, and response

Companies in this segment are characterized by:

  • Excellent visibility with awareness across all IT environments (the network, cloud assets, and endpoints)
  • Anticipatory strategies that proactively address future issues
  • Security leadership that falls under a CISO with a large team
  • A need to secure cloud environments
  • A need to optimize existing security investments
  • Concerns for an overworked security team
  • Concerns regarding risk management on a limited budget

The Mature segment is often focused on agile risk management to enable aggressive business transformation. Also, these companies continually measure their risk management effectiveness to ensure they won’t be hit with security surprises.

Outlining your next steps: Invest in services over products

Where do you think your enterprise fits in this model? If you’re feeling a bit inadequate, that’s normal. You’re not alone! With most enterprises sitting squarely in the Limited or Intermediate segments, you understand better than anyone the tight constraints on security budgets and security expertise. So, it shouldn’t surprise you that spending on security services has outpaced spending on security products, according to Forrester’s research. After all, 62% of enterprises say their security team is understaffed, according to Forrester. Here’s a free copy of the Forrester report, “Top Research for CIOs: Security.”

You’ve probably already concluded that partnering with a managed security services provider (MSSP) is the best approach to getting security expertise, advanced tools, and processes to achieve your objectives. But how much might those services cost you, and how will you acquire budget for contracting security services? Forrester offers critical guidance here too.

Security improvement: How much does threat detection and response cost?

Forrester’s research on security budgets from 2019 tells us that enterprises are spending on average anywhere from 10-30% of their IT budgets on security. This serves as a starting place and a measuring stick for your maturity evaluation. Have a conversation with the study’s author and analyst, Jeff Pollard, and the big takeaway is this: If you’re spending less than 10% of your IT budget, you’re considered blissfully unaware when it comes to security threats. If you’re spending 11-20% or even 21-30% of your budget, you’re starting to become much more aware of what’s happening. Learn more in this “MSSP Survival Guide.”

But awareness is only half the equation.

Sound security strategies also require a staff of people responding and taking action to further investigate alerts and quarantine any verified threats. So what does that cost look like? Operating three security operations centers (SOCs) across the globe, Masergy offers this guide for measuring the cost of SOC operations. Download the eGuide “Build or Buy? Eight Factors for Measuring TCO on Security Operations Centers.”

Why your security savings multiply with Masergy

Here’s how a partnership with Masergy can help maximize your security budget:

  • A Comprehensive Managed Detection and Response Solutioncloud security technologies, security analytics, and SOC services all from one provider
  • Free Threat Intelligence: Masergy’s 19+ years of threat intelligence is included with nearly every service, and our network flow data visibility tool is value-add as well
  • Cost-Competitive: Pricing is based on your number of users and sites — not just on the number of alerts ingested or technologies monitored
  • More Value: Proactive threat hunting services are provided for customers in the Mature segment on the Masergy maturity model

With 19+ years of experience and industry certified analysts analyzing 45 billion events annually, Masergy stands ready to serve your security needs. Contact us today for a free consultation.

Interested in learning more about Managed Security?

Call us now to arrange a consultation (855) 238-1463.
Or arrange for a consultation through our request form.