CISO MindMap & Maturity - Part 2 - 'Team Management'

One of the first areas of the CISO MindMap we will examine is Team Management, which encompasses both Information Security Budget Management and Staffing and Talent Management.

There is no single, universally adopted “Security Budget Capability Maturity Model” dedicated specifically to IT or information-system security budgeting. However, several established capability maturity models include budgeting, financial governance, or resource optimization as part of broader security or IT-governance maturity, and they are routinely used by enterprises to assess and mature how they plan, allocate, and manage cybersecurity spend. These are often built using components from:

• CMMI

• COBIT

• NIST RMF

• ISO 27014

• FAIR

Many of these have overlap with the models that relate to security budgeting have overlap with the CISO MindMap areas of Governance and Risk Management.

Organizational-Specific Security Budget Maturity Models (Common in Large Enterprises)

Many organizations create internal maturity models that include stages such as:

1. Ad-Hoc: Reactive budget requests; no forecasting

2. Basic: Annual budgeting with minimal risk linkage

3. Defined: Formal budgeting workflows and cost centers

4. Managed: Budget tied to risk and performance metrics

5. Optimized: Quantitative ROI, predictive forecasting, scenario modeling

NIST RMF Cybersecurity Framework (CSF) – Implementation Tiers

NIST CSF does not provide a budget model, but its Implementation Tiers (1–4) directly address: Investment prioritization, Resource allocation processes, Organizational risk appetite alignment, Strategic planning of cybersecurity initiatives. As organizations move from Tier 1 (“Partial”) to Tier 4 (“Adaptive”), they mature in: Budgeting tied to risk, Predictable funding cycles, Governance-aligned financial decision-making

NIST SP 800-55 (Performance Measurement Guide for Information Security)

This framework supports: Budget justification models, Security program measurement,

Resource-driven maturity measurements

Staffing and Talent Management

CMMI People Capability Maturity Model (P-CMM)

PCMM is the most formal and widely recognized maturity model for talent and workforce management. Maturity Levels

1. Initial – Ad hoc staffing, hero culture, high dependency on individuals

2. Managed – Basic workforce planning, training, and performance management

3. Defined – Competency frameworks, standardized career paths, role definitions

4. Predictable – Quantitative workforce metrics, capacity forecasting

5. Optimizing – Continuous skills improvement and workforce innovation

NIST NICE Workforce Framework (Role-Based Maturity)

NIST NICE stands for the National Initiative for Cybersecurity Education. While the NICE Framework is not a maturity model by itself, it was developed in response to the growing demand for skilled cybersecurity professionals and the challenges organizations face in consistently defining, measuring, and developing in-demand cyber skills.

The NICE Framework organizes cybersecurity work into a hierarchical structure, beginning with high-level Work Role Categories. Each category is further decomposed into more specific roles and functional areas. For example, within the Protection and Defense (PD) work role category, the framework expands into multiple subareas. Each subarea includes defined Task Statements, Knowledge Statements, and Skill Statements that describe expected activities and competencies.

Using Vulnerability Analysis as an example, NICE provides a set of task statements intended to describe the scope of work involved. Practitioners with real-world experience will recognize that these task statements remain intentionally high level, and that significant variation exists in how “skill” is defined and applied across organizations, tools, and environments. However, the framework provides a necessary baseline. A substantial amount of effort went into its development, making NICE a strong starting point for structuring roles and capabilities.

It is important to note that NICE should not be treated as a checklist exercise where boxes are simply checked and workforce maturity is assumed. Instead, it should be used as a foundational reference to support workforce planning, capability mapping, and development.

When applied to staffing and talent management maturity, a “Managed” level often indicates that roles are mapped to the NICE Framework, with initial planning in place for training, skills development, and performance management.

References

NIST SP 800-55v1 Measurement Guide for Information Security Volume 1 — Identifying and Selecting Measures

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-55v1.pdf

Measurement Guide for Information Security: Volume 2 — Developing an Information Security Measurement Program

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-55v2.pdf

People Capability Maturity Model (P-CMM) Version 2.0, Second Edition

https://www.sei.cmu.edu/documents/808/2009_005_001_15095.pdf

NICE Workforce Framework for Cybersecurity (NICE Framework)

https://niccs.cisa.gov/tools/nice-framework