As protective security consultants, we find that many organisations have put security into the ‘too-hard basket’, or alternatively feel like they have it all in hand. Just a limited few take the time to do an honest assessment of their protective security maturity. And for those that do, it pays dividends.

The New Zealand Government’s Protective Security Requirements (PSR) provide a useful tool in the form of the Capability Maturity Model (CMM)[1]. It provides a framework to assess an organisation’s current security position, and where it wants to be (based on risk appetites), to highlight areas that require improvement.

The CMM incorporates 12 dimensions that span the four pillars of protective security – governance, physical, personnel and information. One size very rarely fits all, so the CMM allows an organisation to identify their capability across all these dimensions, appropriate to the unique security risks they face. An honest assessment of the organisation’s current maturity in each of these areas is then compared to the “ideal” position to give a holistic view of the organisation’s protective security maturity.

The output from the CMM process helps identify the most significant protective security gaps within an organisation, which can drive the most efficient investment of effort and resource. Following the initial assessment, an organisation can instigate a cycle of regular review, and track progress toward the desired level of security maturity.

The PSR is mandated for many public sector organisations, and is increasingly being adopted within the private sector as ‘best practice’.

So, when was the last time you had a security maturity check-up…?

[1] https://www.protectivesecurity.govt.nz/self-assessment-and-reporting/