Maturity Model 101

Strategic Security
Maturity Model 101

Maturity models are a tool used a range of business sectors, including​ manufacturing, software engineering, operations, and logistics. The model is often used to help set process improvement objectives and priorities, and it can provide a method for appraising the state of an organization’s current practices. 

Researchers at Carnegie Mellon University (CMU) have been developing early maturity model prototypes since the 1980s. In 2002, CMU released the first version of the Capability Maturity Model Integration (CMMI) tool, which was developed by a group of experts from industry, govern­ment, and CMU’s Software Engineering Institute. Updated versions of the tool were released in 2006 and 2010. 

The Ernst & Young (EY) physical security maturity model developed with Caterpillar is based on this CMMI tool, and also on EY’s cybersecurity maturity model.

This tool uses a level 1 through 5 rating scale to define maturity levels: (1) Initial, (2) Repeatable, (3) Defined, (4) Managed, and (5) Optimized. For a hypothetical example, take the compliance component of a security department. In the Initial stage of a maturity model, processes are unpredictable, poorly controlled, and reactive. Thus, in that initial stage, the security department is conducting its compliance activities in a haphazard way—putting out fires when they flare, with no real established process for doing so. ​

When compliance reaches level 3, Defined, the compliance process is established and proactive—perhaps with guidelines enforced by a compliance officer. At level 5, Optimized, the process is so well-established, managed, and defined, that the focus is now on process improvements.