The first step to strengthening security! Rethink your organization's current state with a maturity model
How should security organizations such as SOCs and CSIRTs evaluate their current capabilities and determine how to improve? In this article, we explain the basic concept of the maturity index and introduce three widely used frameworks that help assess the maturity of security organizations with diverse roles. We also outline the characteristics of each framework and key points to consider when applying them.
1. What Does a Security Organization Do?
As cyberattacks grow increasingly advanced and sophisticated, the role of corporate security organizations has become more critical than ever. Modern security operations now extend far beyond implementing antivirus software. They involve continuous threat monitoring, incident response, vulnerability management, and the prevention of information leakage.
Two well-known organizational structures in cybersecurity are the SOC (Security Operation Center) and the CSIRT (Computer Security Incident Response Team).
- The SOC is primarily responsible for continuous monitoring, detection, and analysis of security events.
- The CSIRT focuses on incident handling, including containment, recovery, and coordination among relevant stakeholders.
To evaluate whether these organizations are functioning effectively, companies often rely on a maturity assessment framework, which objectively measures operational capability and highlights areas for improvement.
2. What Is "Maturity"?
Maturity refers to the degree to which business processes, systems, and technology are standardized, systematized, and operated in a way that supports continuous improvement.
For example, consider two types of incident response systems:
- One that relies on individual judgment, and
- Another with well-defined procedures that can be replicated consistently through training or automation.
The latter is considered far more "mature."
Focusing on maturity is essential because it helps build an organizational capability that is stable, sustainable, and not dependent on the skills of a single individual. Without sufficient maturity, issues may remain hidden during normal operations, only to surface as ad-hoc and ineffective responses during an incident - ultimately increasing vulnerability.
Maturity is not merely a measure of technical strength. Instead, it reflects how well the organization operates, how scalable it is, and how effectively it can maintain and improve its security posture over time. By evaluating security operations through the lens of maturity, companies can accurately visualize their current state and identify areas that require systematic improvement.
A commonly referenced example of a maturity model is CMMI (*1), which categorizes organizational maturity into the following levels:
- Level 1 Initial State: Random, poorly defined and managed
- Level 2 repeatable: There is a certain way to do it.
- Level 3 Defined: A state where there are uniform rules and procedures as a whole
- Level 4 Quantitatively controlled: Progress and quality can be controlled by numbers
- Level 5 Optimized: Continuous improvement activities to make it even better
Figure 1: Maturity Level
Maturity does not necessarily equate to having advanced or cutting edge security measures. For example, even organizations that adopt sophisticated capabilities - such as external threat intelligence or proactive threat hunting - may still have a low maturity level if these activities depend heavily on individual expertise and lack standardized processes or documentation.
Conversely, relatively basic security monitoring can be evaluated as highly mature if it is well standardized, properly documented, consistently managed, and enforced systematically.
In other words, maturity is a measure of an organization's stability and reproducibility, not its technological complexity. It reflects how reliably the organization can operate, regardless of personnel changes or individual skill levels. This evaluation axis is fundamentally different from merely assessing technical sophistication.
- (*1) CMMI Institute, https://cmmiinstitute.com
3. Introduction to Key Maturity Assessment Frameworks
Several frameworks can be used to assess the maturity of a security organization. Below are three widely recognized and practically useful models.
3-1. ITU-T X.1060: Guidelines for Building and Operating Security Organizations
ITU-T Recommendation X.1060 is a comprehensive guideline for the structure and operation of security organizations (*2). It defines the concept of a Cyber Defense Center (CDC)-an organization responsible for integrated security operations - and outlines how the CDC should implement security measures.
The framework classifies 64 items into the following nine categories:
- Strategic Management of CDC
- Real Time Analytics
- Deep Analysis
- Incident Response
- Checking and Evaluation
- Collection, analysis and evaluation threat intelligence
- Development and Maintenance of CDC Platforms
- Support of Internal Fraud response
- Active relationship with External parties
Evaluation points include whether the CDC documents its security strategy and engages with management, whether incident response flows are defined and established, and whether the organization has a system to continuously collect and utilize threat intelligence.
While X.1060 itself is not a maturity model, it contains assessment items that allow evaluators to judge organizational maturity.
- (*2) International Telecommunication Union (ITU), Framework for the Creation and Operation of a Cyber Defence Centre, https://www.itu.int/rec/T-REC-X.1060-202106-I
3-2. SOC-CMM: Comprehensive Assessment of SOC Capability
The SOC-CMM (Security Operations Center Capability Maturity Model) evaluates SOC maturity across multiple operational dimensions (*3). It covers the following domains:
- Business
- People
- Process
- Technology
- Services
Each domain is assessed using a six-level Maturity Level, evaluating points such as whether log monitoring is manual or automated, or whether response procedures are clearly documented.
Additionally, the Technology and Services domains are also evaluated using a four-level Capability Level, allowing a deeper assessment of the SOC's functional effectiveness.
SOC CMM is highly comprehensive, with specific and detailed items that make it efficient to conduct assessments and straightforward to identify improvement areas.
- (*3) SOC-CMM, https://www.soc-cmm.com
3-3. SIM3: Global Standard for CSIRT Maturity
The Security Incident Management Maturity Model (SIM3) is an internationally recognized model for evaluating CSIRT maturity (*4). It is widely used by organizations such as ENISA and the global CSIRT community FIRST.
SIM3 evaluates 44 items across four categories:
- Organization
- Human
- Process
- Tools
Each item is scored on a five level maturity scale. Evaluation examples include whether communication procedures are documented and whether systems exist to coordinate with external parties during incidents.
In addition, the model includes a formal qualification system for evaluators, who are certified as "Certified SIM3 Auditors." NTT DATA also has several certified auditors who can conduct SIM3-based assessments.
- (*4) Open CSIRT Foundation, https://opencsirt.org/maturity/sim3
4. Summary
Security organizations today are responsible for a wide range of functions - including threat monitoring, analysis, incident response, and training - and must continuously strengthen these capabilities. To do so, it is essential to objectively understand "our current level" and "what areas need reinforcement."
Multiple evaluation perspectives exist, such as:
- Coverage
- Technical capability
- Organizational ability
- Maturity
These perspectives should be used collectively and from multiple angles. Among them, maturity is a crucial metric for assessing how well a security organization can respond to incidents in a stable, sustainable, and reproducible manner.
Frameworks such as X.1060, SOC-CMM, and SIM3 provide objective ways to evaluate maturity and serve as valuable guides for building security strategies. Each framework has its own strengths and target scope, so organizations can use them effectively depending on:
- which organization they want to assess (SOC, CSIRT, or entire security function), and
- which aspect they want to strengthen (processes, human resources, or technology).
By leveraging these frameworks appropriately, organizations can enhance their capabilities and better fulfill their role as defenders of corporate cybersecurity.
NTT DATA will continue to follow the latest global trends, accumulate expertise, and proactively disseminate knowledge on security maturity assessment and organizational improvement.
Soichiro Fujii
Assistant manager, NTT DATA Group, Technology and Innovation General Headquarters, Information Security Office, NTTDATA-CERT
Since 2023, engaged in CSIRT support operations across internal business units. From 2025, as part of NTTDATA-CERT, has contributed to improving security operations across the entire NTT DATA Group.