SOC-CMM forum
How to set maturity and capability targets - Printable Version

+- SOC-CMM forum (https://www.soc-cmm.com/forum)
+-- Forum: SOC-CMM (https://www.soc-cmm.com/forum/forumdisplay.php?fid=1)
+--- Forum: SOC-CMM community forum (https://www.soc-cmm.com/forum/forumdisplay.php?fid=2)
+--- Thread: How to set maturity and capability targets (/showthread.php?tid=1193)



How to set maturity and capability targets - Anders - 08-24-2021

Hello Rob and all the communication,
Many thanks for your work and your powerful publications in the field of SOC. I have a question about SOC-CMM. How to determine the target? You indicate that it is based on ambitions and that it is optional. Is this based on a feeling, an estimation from the SOC manager? I'm having trouble figuring out how to set it.

Thanks for your help,
Have a good day.


RE: How to set maturity and capability targets - robvanos - 09-09-2021

Hi Anders,

Sorry for the late reply.

Determining where to set the target is a strategic decision. I personally believe that the appropriate capability and maturity level for a SOC depends on:
- ambition: what goals are you trying to achieve with the SOC?
- risks: what risks are you facing as an organisation and what role does the SOC have in mitigating those risks?
- organisational maturity level: how mature is the organisation? Having a mature SOC in an organisation with low overall maturity will create a mismatch.
- threats: what threats are you protecting against and what capabilities do you need to protect against these threats? This also depends on the profile of the threat actors you are facing and will change over time.
- willingness to invest in maturity. Maintaining a higher level of maturity requires more effort. Thus, more personnel is required.

All these are factors that contribute to setting your target.

Regards,
Rob.


RE: How to set maturity and capability targets - Anders - 09-10-2021

Hi Rob,

no problem for the delay, it was holidays for many people Wink

Thanks a lot for your answer.
What I find a bit complicated for the first time using the method is to project yourself when you don't really know what each maturity level corresponds to.
For example, in my work, for an audit based on ISO 27001, we have a small survey to help determine a maturity target.
I don't know if you keep in a corner some feature requests but do you think that would be interesting to include ?

Have a good day and good week-end

Translated with www.DeepL.com/Translator (free version)


RE: How to set maturity and capability targets - robvanos - 09-16-2021

Hi Anders,

I agree that setting a target is difficult if you have no reference. I think many users will be able to set a concrete maturity goal only after they have completed an initial assessment. I may include some guidance on setting maturity targets (basically, what I've posted above) in the SOC-CMM. A feature to include a survey for setting the maturity target is not something I want to pursue at this moment.

Of course, if you have ideas about a more concrete survey to determine the maturity target, feel free to post it here!

Regards,
Rob.