Gartner Blog Network


You Cannot Buy Security Operations Maturity But You Can … Ruin It

by Anton Chuvakin  |  May 22, 2018  |  2 Comments

In my day job, I ponder all sorts of strange stuff. For example, here is a philosophical one: can one buy security operations maturity? By the way, note that when I say “security operations maturity”, the hidden word here is “process” – so in reality I speak of “security operations process and, to a lesser extent, people maturity” (but that’d be a mouthful…)

As you recall, I am a world-class maturity model nut, and many of our papers contain maturity charts (such as for SIEM, VM, IR and TI). Also, Gartner also has an overall maturity model for security, called ITScore for Information Security.

Common sense implies that maturity is something you need to … well… mature over time. Can you pay to have your wine mature faster? Probably not. So, the short answer is that “you cannot.”

Creative commons source https://flic.kr/p/8ECc3a

OK, what about a longer answer? Perhaps there are some maturity boosters you can buy or otherwise obtain in exchange for money? Perhaps, these may count:

A. Advice – you can ask us at Gartner how to climb the maturity ladder faster, you can retain Gartner Consulting or other consultants that focus on maturing the state of your security practice. Advice of course has this peculiar property: somebody has to actually follow it to get value… If you don’t plan to follow our advice, don’t ask. And, before you build a plan to boost your maturity, it helps to objectively check where you are now in this regard.

B. Experience – you can hire people who know how to operate at higher maturity levels, and have them serve as catalysts for maturity increase. This, BTW, sounds like hard work – and it is.

Note that if you make a mistake or fall victim to vendor fraud, you can occasionally suffer from “cargo cult” maturity. For example, you can start calling your SOC “a hunting team” or you can buy tools commonly used by the elites without having any related processes developed. We do occasionally see organizations with an inflated view of their security operations maturity, whereas the facts on the ground……………

Finally, you can ruin your operations maturity for free or for money. Rumors of SOC decay (such as at some major twice-breached retailer or at some major breached financial company) were reported, and attributed to change from security to compliance mentality, desire to drive the cost down or push to mindlessly outsource. So, beware! You can’t easily buy it, but you can lose it.

All blog posts that mention security maturity:

Category: security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on You Cannot Buy Security Operations Maturity But You Can … Ruin It


  1. anon says:

    You could buy a mature team from another company…just takes money and the freedom to allow that team to do what they do. Allow them to buy the components they need to. I’ve seen this done with success.

    • Indeed, this is true – but I’ve seen both successes and failures down this path. IMHO, the fail mode is when a crack team is dropped in the middle of a bureaucratic wasteland and it expected to deliver excellence. IRL, they are all killed by the zombies :-)



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.