Security maturity is about effectiveness, not the use of security mechanisms to achieve arbitrary security levels. The SMM aligns the comprehensiveness (degree of depth, consistency and assurance of security measures) and scope (degree of fit to the industry or system needs) of security needs with the investment in appropriate practices.
Not all systems require the same strength of security mechanisms and procedures to meet their security maturity targets. The organization’s leadership determines the priorities that drive the security enhancement process, making it possible for the mechanisms and procedures to fit the organization’s goals without going beyond what is necessary. The implementations of security mechanisms and processes are considered mature if they are expected to be effective in addressing those goals. It is the security mechanisms’ appropriateness in addressing the goals, rather than their objective strength, that determines the maturity. The SMM defines security maturity as the degree of confidence that the current security state meets all organizational security needs and all organizational security-related requirements. Security maturity is a measure of the understanding of the overall current security approach including people, processes and technology including its necessity, benefits and cost to support. Contributing
factors include the specific threats to an organization’s industry vertical, safety, regulatory, ethical and compliance requirements, the organization’s threat profile and the unique risks present in an environment.
The 62443 series of standards also have a concept of maturity, focused on the maturity of the security program and processes. The 62443 maturity levels are based on the Capability Maturity Model Integration (CMMI) for Development (CMMI-DEV) and Services (CMMI-SVC) standard. This maturity approach can be aligned with the SMM maturity model that includes technology and operations, rather than the processes alone.