Clients of all shapes and sizes receive inbound assessments from much larger organizations with something strikingly similar to one another: they all use this 5 point scale that makes no sense to smaller companies. Initial? Managed? What do these all mean?
Let’s help explain to you what these are.
The CMMI (Capability Maturity Model Integration) scale is a common framework for appraising the process maturity of an organization.
According to the CMMI Institute, this scale:
…[provides] a risk-based approach to measuring and managing security risks in the context of your business mission and strategy…
It’s understandable why large corporations use this lingo. Here’s a brief overview of the terminology:
Source: Wikipedia
For the non-cyber security or non-enterprise folks, these definitions can be very intimidating. Here’s how we, as a 10-person startup, like to view the CMMI Scale to make it simple and easy to remember:
Initial - You’re initially getting started in this area. Either you haven’t considered it or you don’t do it well.
Managed - You’re managing to get by. The item is getting done, but there’s no defined process.
Defined - You have a defined process and can prove it.
Quantitatively Managed - You can quantify a defined process with measurables against a process.
Optimizing - Your process is so perfectly executed and measured; all that’s left it to prove that you’re continuously optimizing this process on a recurring basis and can prove that as well.
By understanding these terms, you can generally tell where your organization stands. For smaller, younger organizations, it's understood that you might not yet have the same maturity of a larger company. In this case, it's also understood that you'll play mostly between Initial and Defined.
Luckily, there are platforms out there (like JustProtect) to help with process and policy management. By evolving and hardening your processes over time, the evidence that you do so comes with it.
We hope this helps. We’d love your thoughts below!