How to get above the Security Poverty line

The Security Poverty Line

Failing miserably trying to communicate the basics of security?
Do everyone else believe in the stories told on the vendor floor of RSA/BlackHat/Whatever?
Do you feel like no-one listens (as depicted by @EFFINBIRDS below)?

Fear no more.

You just need to get above the Security Poverty Line.
And what is that, you may ask?
Well, as most things in Information Security this is pretty hard to quantify, but what if we used the CIS Critical Security Controls [4] as a baseline?

Would it be fair to say that if you don't do the Critical Security Controls at a CMMI level of at least 3, then Your Organization is below the Security Poverty Line?
In order to assess the maturity of your implementation of the 20 Critical Security Controls I find the Assessment tools from AuditScripts very useful. [1] & [2].

But what do you think?
Is this a valuable way of expressing security maturity?
How do we communicate Security better to management?
Please comment :)

Please note that I have no affiliation with AuditScripts, but just happen to like this free resource from them.

No comments: