When determining the level of maturity of a security function, I focus on the following areas and try to answer these questions:
- Is security strategy aligned with business strategy (including vision and mission)?
- Is it documented and communicated?
- Is it supported by the leadership?
- Is there a guiding policy in place to achieve set objectives?
- Have accountable individuals been identified?
- Have risk management practices been established?
- Have audit and assurance practices been established?
- Have performance measurement practices been established (including KPI definition)?
- Have global and regional interfaces been defined?
- Has team structure and funding been agreed?