The five maturity levels in information security budgeting are based on two factors:
- The Level of Risk.
- The Level of Maturity.
These two factors influence each other in an inversely proportional manner. When an increase of maturity level has been established, there is a decrease in risk level, and vice-versa.
An increase in the maturity level also increases the percentage of budgetary expenses, with an exception at level 4 and level 5. Therefore, a lesser maturity level will account for a lesser percentage of the budget.
These levels are grouped into five levels.
- Level 1: Initial
- Level 2: Developing.
- Level 3: Defined.
- Level 4: Managed.
- level 5: Optimizing.
LEVEL 1(Initial):
During this stage a few advocates exist but there are no formalized security practices emplaced. Actions taken at this level are considered reactive, poorly controlled, and the idea of security awareness at this level is limited. However, there is a conscious awareness, and acceptance of the need for a formal security program for the organization.
In addition, the budgetary allocation regarding the organization’s Information and Technology security accounts for less than 3% and does not exceed 4% at this level.
LEVEL 2(Developing):
In the developing stage, the organization’s vision is outlined, and management accepts the ideology on having a formal security strategy implemented. All requirements are properly accessed, roles and responsibilities assigned, and the process of implementation is initiated.
At this level, GAPS are identified, and the organization roles out communication and education programs for its entire institution. The budgetary expenses regarding the organization Information and Technology security at this stage are in-between (4-6%), of the IT budget.
LEVEL 3(Defined):
The level3 comprises of the definition of Goals, Security practices, and Performance metrics. All IT processes are to meet the current standards, integrated, properly documented, and implemented. The organization also puts emplace a formal governance and compliance model.
Furthermore, the budgetary expenses regarding the organization Information and Technology security at this level are in-between (7-8%), of the IT budget.
LEVEL 4(Managed):
At the Managed level, Information Security programs are both an integral part of the culture, and inseparable component regarding the organization business operations. They are also considered in every decision-making process.
Furthermore, at this level performance expectation and efficiency are foreseeable, and the budgetary expenses are between a margin value of 8% and 3%.
LEVEL 5(Optimizing):
Business operations and processes are fully optimized and have reached a maturity level. The organization’s investments and decision making are interconnected. Stakeholders’ feedback is utilized to continuously improve processes such as employees, people, technology, change in business demand, and when new opportunities arise.
The IT security budget at the optimizing level accounts for in-between (3-4)% of the organization IT security budget.
Put your comments below in the comment section on your thoughts about this.