CISO MindMap & Maturity - Part 3a - 'Security Operations' - 'Threat Prevention'

Within the CISO MindMap, Security Operations encompasses three major domains: Threat Prevention, Threat Detection, and Incident Management. This article focuses specifically on the Threat Prevention domain and examines several maturity models that apply to key subdomains within this area.

Threat Prevention

Threat Prevention spans a broad range of capabilities and is heavily influenced by an organization’s operational environment and technology stack. While many subdomains have well-defined metrics, not all have formal maturity models. In such cases, it is up to the organization to determine what maturity and operational excellence look like for that specific capability. For this article, we will focus on critical subdomains where maturity models do exist and where structured measurement provides added value.

Subdomains with Relevant Maturity Models

• Asset Management Maturity

• Vulnerability Management Maturity

• Application Security Maturity

• Security Awareness Training Maturity

• Additional 'Threat Protection' Areas: Network Security, Endpoint Security, Data Loss Prevention (DLP)

Asset Management Maturity

There is not a single mandated industry standard exclusively for ITAM maturity, but multiple widely used models exist that organizations can use to evaluate and improve their IT asset management capabilities. Common choices include the ITAM Institute model, ITAM Capability Maturity Model, and practical staged models aligned with ITSM/ITIL principles.

A classic capability maturity model tailored to ITAM with five levels following CMM:

1. Initial: Manual, undocumented, reactive

2. Repeatable: Informal policies and basic processes

3. Defined: Standardized and documented ITAM structure

4. Managed: Aligned to organizational strategy

5. Optimized: Fully integrated, continuous improvement focus

Achieving Level 3 maturity requires standardized ITAM policies and processes, a functioning CMDB, and full integration of ITAM with ITSM workflows and cybersecurity practices. Software license compliance must be actively monitored, automated discovery tools must provide reliable asset visibility, and onboarding/offboarding activities must be consistently tracked through integrated systems. At this stage, the organization demonstrates strong data accuracy and reporting capabilities. Progressing to Level 4, however, involves continued process refinement and the adoption of advanced capabilities such as AI-driven asset management, automated remediation, and predictive analytics for maintenance and cost forecasting.

Vulnerability Management Maturity

James Risto, working alongside fellow SANS instructor David Hazar, developed a comprehensive vulnerability management maturity model using the P.I.A.C.T. acronym to help organizations effectively evaluate and measure their vulnerability management program capabilities.

The model employs a strategic mapping approach that positions the P.I.A.C.T. framework stages along the Y-axis while plotting them against a standard five-stage Capability Maturity Model (CMM) on the X-axis. This intersection creates a clear assessment tool for determining organizational maturity levels.

Consider this practical example: when an organization operates a fully functional vulnerability scanning system that performs regular, systematic scans, they are successfully addressing the "Identify" component of the P.I.A.C.T. framework. This achievement would place the organization at the "Defined" maturity stage within the vulnerability management CMM, indicating they have established consistent, documented processes for vulnerability identification.

This maturity assessment approach provides organizations with a structured methodology to benchmark their current capabilities and identify specific areas requiring development or enhancement in their vulnerability management practices. For additional detailed information about implementing this maturity model, reference materials are available in my previous article series on Vulnerability Management Program Maturity: https://www.croninity.com/post/vulnerability-management-program-overview

Vulnerability Management Maturity in Relation to the CISO MindMap

The Vulnerability Management domain in the CISO MindMap under Threat Protection closely mirrors a classic security maturity progression.

It begins with 'Scope'. Organizations must first define what systems are covered for vulnerabilities across increasingly diverse and complex environments of software and systems. For example, traditional operating systems often support agents that can accurately detect missing patches and software flaws, whereas network devices typically require remote authenticated scanning. Modern cloud infrastructure, microservices, containers, and serverless components frequently do not allow agents at all and are not easily scanned with conventional tools, demanding specialized solutions for accurate assessment. Beyond pure software flaws (such as buffer overflows), the definition of “vulnerability” also includes misconfigurations and weak configurations, which are often identified through compliance-oriented scanning rather than traditional vulnerability scanners.

Once the scope is clear, the next stage is 'Identify'. Assets and their vulnerability posture change constantly, new systems are deployed, code is updated, and new exploits are published daily. A mature program answers the question: how frequently and consistently are we actively looking for vulnerabilities across the entire defined scope?

After identification comes 'Classify'. Not every finding carries the same risk. Mature organizations have repeatable, risk-based processes to prioritize vulnerabilities according to exploitability, asset criticality, business impact, and compensating controls, rather than treating everything as equally urgent.

Vulnerability management, however, is not complete with discovery and prioritization alone. True effectiveness requires timely remediation, which leads to the 'Mitigation' phase, patching, configuration hardening, deployment of virtual patches or compensatory controls, or conscious risk acceptance when fixing is not immediately feasible.

Finally, the highest level of maturity is achieved when the entire process is 'Measurable'. Organizations track key metrics across all previous stages: coverage of the defined scope, frequency and recency of identification, accuracy and consistency of classification, speed and completeness of mitigation, and overall reduction in risk exposure over time.

Application Security Maturity

OWASP Software Assurance Maturity Model (SAMM)

The OWASP SAMM is one of the most widely adopted AppSec maturity model. OWASP SAMM is an open, vendor-neutral framework designed specifically to measure and improve application security maturity. OWASP SAMM is centered around five business functions: Governance, Design, Implementation, Verification, Operations. Each function contains three security practices, each with three maturity levels. OWASP SAMM helps measure:

• Secure SDLC integration

• Threat modeling and secure design

• Secure coding and code review

• Security testing (SAST/DAST/IAST)

• Vulnerability management and operational security

Other Appsec Maturity Models

NIST SP 800-218, Secure Software Development Framework (SSDF)

NIST SP 800-218, Secure Software Development Framework (SSDF), provides high-level guidance for integrating security throughout the entire software development lifecycle—from initial planning through deployment and ongoing maintenance. The framework emphasizes security by design, proactive risk mitigation, and continuous improvement to reduce vulnerabilities and strengthen resilience against evolving threats

Building Security into Maturity Model' (BISMM)

A vendor specific developed maturity model is the 'Building Security into Maturity Model' (BISMM) developed by Black Duck software. Black Duck Software provides application security (AppSec) tools, primarily focusing on Software Composition Analysis (SCA), to help companies manage security, license compliance, and quality risks in open-source and third-party code used in their software. Its tools automatically scan codebases, containers, and binaries to identify known vulnerabilities (CVEs), track open-source licenses, enforce policies, and generate Software Bills of Materials (SBOMs) to secure the entire software supply chain.

DevSecOps / Secure SDLC Maturity Models

Many organizations adopt internal maturity models focused on DevSecOps and secure SDLC practices. These models typically assess maturity across several key dimensions, including CI/CD security automation, integrated security tooling (such as SAST, DAST, SCA, and secrets scanning), developer enablement and training, and the use of policy-as-code and automated guardrails to enforce security standards throughout the delivery pipeline.

Security Awareness Training Maturity

The 'SANS Security Awareness Maturity Model' is one of the most widely used model to measure the capabilities of your organizations cyber security awareness training program. It defines five levels:

• Level 1 – Non-Existent - No training beyond ad-hoc or minimal compliance efforts.

• Level 2 – Compliance-Focused - Annual training and basic phishing tests; meets regulatory requirements only.

• Level 3 – Awareness & Behavior Change - Training is tailored to roles, reinforced throughout the year, and measured for behavior impact.

• Level 4 – Long-Term Sustainment & Culture Change - Awareness embedded into culture, leadership involvement, continuous reinforcement.

• Level 5 – Metrics-Driven Program - Program uses data analytics, targeted interventions, and adaptive training to reduce human-risk behavior.

Other Cybersecurity Training Program Standards

Several established standards and industry practices support the design and maturity of cybersecurity awareness and training programs.

The NIST SP 800-53 Control Framework includes an entire control family dedicated to cybersecurity awareness and training: AT – Awareness and Training. This control family defines requirements for establishing, delivering, and maintaining effective training programs across the organization.

In addition, NIST has published NIST SP 800-50, “Building a Cybersecurity and Privacy Learning Program,” which provides practical guidance for developing, implementing, and sustaining enterprise cybersecurity and privacy training initiatives.

Commercial cybersecurity vendors that provide phishing simulation and testing platforms have also developed structured awareness training modules as part of their offerings. Many of these vendors include assessment and measurement models to evaluate the effectiveness and maturity of training program delivery. Notable vendors in this space include KnowBe4, Proofpoint, and Living Security.

Some vendors and consultants further extend these approaches by incorporating Human Risk Management (HRM) maturity models, which focus on measuring and reducing human-driven cybersecurity risk as an evolution of traditional awareness training programs.

Additional 'Threat Protection' Areas: Network Security, Endpoint Security, Data Loss Prevention (DLP)

Other key areas within Threat Protection include Network Security, Endpoint Security, and Data Loss Prevention (DLP).

For Network and Endpoint Security, there is no widely adopted, standalone maturity model focused exclusively on specific security controls such as firewalls, IPS, proxies, or endpoint protection platforms, in the same way that formal maturity models exist for domains like IT asset management, identity, or risk. Instead, maturity in these areas is typically evaluated as part of broader cybersecurity or control-specific maturity frameworks, where effectiveness is assessed across people, process, and technology dimensions.

In contrast, Data Loss Prevention maturity is commonly evaluated through broader data security maturity models. Frameworks that take a holistic view of data security, such as the Data Security Maturity Model (DSMM), assess DLP as a core component of the organization’s overall data protection posture. These models organize data security into functions such as Identify and Classify, Protect, and Detect, each with defined maturity levels that incorporate DLP-relevant capabilities, including automated data discovery, policy enforcement, and loss prevention.

References

ITAM maturity Model

https://itaminstitute.org/wp-content/uploads/2019/10/ITAM-Maturity-Model.pdf

How to Improve Your Organization’s ITAM Maturity

https://www.sysaid.com/blog/asset-management/how-to-improve-your-organizations-itam-maturity

Your practical IAM security Assessment

https://marketplace.itassetmanagement.net/education/maturity-assessments

​Vulnerability Management Program Overview

https://www.croninity.com/post/vulnerability-management-program-overview

SANS Key Metrics: Cloud and Enterprise

https://sansorg.egnyte.com/dl/wmYTKpJHvGGT

The SANS Security Awareness & Culture Maturity Model – Now Easier to Use and More Actionable

https://www.sans.org/blog/sans-security-awareness-culture-maturity-model-easier-actionable

OWASP SAMM

https://owasp.org/www-project-samm/

AT: Awareness and Training

https://csf.tools/reference/nist-sp-800-53/r5/at/

Building a Cybersecurity and Privacy Learning Program

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-50r1.pdf

KownB34 Program Maturity Assessment (PMA)

https://www.knowbe4.com/free-cybersecurity-tools/program-maturity-assessment

KnowBe4 Technical Documentation for the Security Awareness Proficiency Assessment (SAPA)

https://www.knowbe4.com/hubfs/KnowBe4-Security-Awareness-Proficiency-Assessment-SAPA-Technical-Document_EN-US.pdf

Human Risk Management MATURITY MODEL

https://www.livingsecurity.com/hubfs/_Core%20Website%20Files/Resource%20Center/Living-Security-Human-Risk-Management-Maturity%20Model-Ebook.pdf

BUILDING SECURITY IN MATURITY MODEL

https://www.blackduck.com/content/dam/black-duck/en-us/datasheets/bsimm-datasheet.pdf

NIST Special Publication 800-218 Secure Software Development Framework (SSDF)

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf