KnowBe4 on Monday introduced the Security Culture Maturity Model, a five-level ranking that aims to help companies measure their internal security cultures. ("KnowBe4" by pasa47 is marked with CC BY 2.0)

KnowBe4 on Monday introduced the Security Culture Maturity Model, a five-level ranking that aims to help companies measure their internal security cultures.

KnowBe4 Chief Marketing Officer Michael Williams said now that the company released the model to the public, it seeks comments from security pros on how to make it best fit their needs.

"The first step was to get the model and its principles for measurement released publicly for review and comment by our customers, as well as others in the industry,” Williams said. “We plan to not only refine the model over time, but we will also release additional tools and programs for enabling companies to measure their own position on the security culture maturity model."

The model establishes five levels: basic compliance; security awareness foundation; programmatic security awareness and behavior; security behavior management; and sustainable security culture.

Williams added that at this time, KnowBe4 looks at this effort as an industry initiative, and has no plans to charge customers for the measurement process.

For an organization to have a solid security strategy, they must find the perfect balance between people and technology, said Joseph Carson, chief security scientist and Advisory CISO at Delinea. Carson said investing in security technology alone will not reduce the risks of today’s modern threats.

“That means for technology to be configured, deployed and used correctly, organizations must invest in their people to use it appropriately and securely,” Carson said. “Organizations must have a long-term strategy for human security which combines awareness, behavior and security culture that helps both the short-term awareness needs and embed security into everyday tasks. To help with this, we must make security usable and the preferred choice."   

Erkang Zheng, founder and CEO at JupiterOne, said inhibitors to creating a security culture can range from limitations on budget or resources, not having the right tooling or process, coping with overwhelming amounts of data and noise, and lack of management support.

“We need an open, transparent, and supportive security culture,” Zheng said. “This is not a one-way street. It goes both ways from executive support and engineering support of the security initiatives, to security's understanding of the business challenges and ability to make security easy to adopt for the entire organization. And we need to do the basics well – at scale. Security cannot be solved by piling up more and more ‘next-gen’ tools or continuing to increase processes.”