There are dozens of maturity models yet what creates executive level adoption and sponsorship? John Bryk’s CSO article (1) on a Cybersecurity Maturity Model caught my attention. My opinion is that there are three reasons why this maturity model created enterprise-level adoption:
Relevance to what matters in the boardroom
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. Significant effort and corporate investments are occurring in this space to increase asset protection and decrease corporate liabilities. Maturity models focused in hot technologies will get attention.
Example: The Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) was developed in support of a (United States of America) White House initiative led by the Department of Energy (DOE), in partnership with the Department of Homeland Security (DHS), and in collaboration with private and public-sector experts.
Clear Survey Domains aids in adoption.
Maturity models that are simple, not simplistic will help teams work with everyone, from decision makers to IT operations.
Example: ONG-C2M2 has 10 Cybersecurity domains, each with descriptions of best practices. It combines both risk assessment of operations and management practices. Easy peasy to conduct and explain potential gaps.
Ease of Communication of Why Assessment is needed
If you can quickly communicate both process and value, it helps with getting needed attention and organizational adoption.
Example: the ONG-C2M2 document states that “A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. (which) exemplifies best practices …. A maturity model thus provides a benchmark against which an organization can evaluate the current level of capability of its practices, processes, and methods and set goals and priorities for improvement.” Again pretty easy peasy to communicate to both the teams involved and leadership.
In your experience, what are other ways that help maturity model adoption? Comments welcome below.