If you look at a standard maturity index for processes (such as COBIT or ITIL), they propose five level:
With a sixth one being implied (non existent), and on the NIST side we have the Five Functions:
Although these make perfect sense for a practitioner, I feel they imply way too much positivist on the lower levels. I would position that in today’s world if you are not able to Detect problems and have not a measurable way to make sure it is working and improving, you are just being wishful that you are defending yourself properly.
So here is my proposal to simplify these models with clear language that a non practitioner would understand quickly, I propose the simple following four levels:
I would position that many companies today fall into the “Wishful” category: they have deployed some tools and sometimes all the right tools, but are not investing enough in processes and monitoring. They feel that because they have the right tools they are protected. Unfortunately, until they get to the “Conscious” level, they have no way to know if that’s true, or since this is about the fast moving world of technology, they have no way to know if the “right tools” they deployed previously are still the right tools for now.
On a side note, if you handle customer data (especially anything that falls into “Personal Information”, financial information and/or Credit Card information), awesome is the only acceptable level; you are being entrusted with that data and if you do not demonstrate your are doing what’s needs to be done it’s only a matter of time before you have an issue that will drive your customers away.