What Gets Measured Gets Managed.

Peter Drucker

Security Culture Maturity Model

Implementing risk, compliance, and security awareness in your organisation is not an easy job. It is a mind-set that needs to seep through the entire organisation in order to work properly and protect the core business. But how do you facilitate that?

We have created the Security Culture Maturity Model (SCMM) for you, to help you figure out where on the path towards maturity your organisation is, and what you might need to focus on for the next step.

SCMM – Security Culture Maturity Model from the Security Awareness perspective


The maturity of your organisation when it comes to security management can be divided into five levels: 5) Autonomous, 4) Structured, 3) Accepted, 2) Recognised, and 1) Heroes. This is the SCMM – Security Culture Maturity Model focusing on Employee Awareness.

In this perspective, the model determines how embedded Security Awareness is among the employees in your organisation, and security is a matter of creating awareness and the right culture in the organisation.



1) Heroes: There is no actual awareness program in the organisation, and the security matters of the entire organisation are dependent on very few employees – the so-called heroes. This is often the IT-security guy or girl if such a role exists. In short, the awareness about security is non-existent.

2) Recognised: The need for security is recognised by management, but only appears in certain areas of the organisation such as compliance. Being at this level is risky, as management often feels safe because security is somewhat taken care of, but in reality the organisation is very vulnerable.

3) Accepted: Organisations at this level have a much more structured approach when it comes to security compared to the two former levels. Consequently, actual awareness training is implemented targeting key roles in the organisation.

4) Structured: The awareness program has a long term perspective in the organisation while compliance, incidents, risks, and controls are managed, controlled, and evaluated throughout the organisation.

5) Autonomous: The organisation has a security awareness program, which is continuously updated and improved year after year. The awareness is embedded in the culture and all employees are aware of the security procedures of the organisation.

SCMM – The model from a broader perspective

Most organisations that I help are somewhere around level 2 and 3. I meet a few organisations on level 1, but they are seldom willing to change, since no one or only a single individual in the management have yet come to realise their need.

I have met single organisations at level 4 and 5. And yes, they rock.

If you ever find yourself in an organisation at level 1, also known as “Saved by the heroes,” you will have a small dilemma on your hands. The heroes keeping things afloat will not be able to lift the organisation to the next level. They are, ironically enough, part of the problem, and as much as you may dislike it, you will need to bypass them and somehow limit the heroisms.


Generally, when you read the model, you may view it as a set of stairs, a set with very big steps. No organisation will ever jump more than one step at a time. Some may move quicker than others, but each step needs to be taken one at a time.

So, to gain the best use from the model, you may identify where on the model your organisation generally is right now, and then take initiatives aimed at going up to the next level.

It may trick you as it did me for many years, that level 1 and 5 are decentralised, which is typically a good thing, but in raising maturity from level 1 and 2, you will need to completely let go of decentralisation and put all your focus on top management.


This was counter-intuitive for me, but after creating this model and working with it for a bit, some of the trouble I have had and seen became very clear to me.

To illustrate exactly this point, I’m often referring to the model in the form of an hourglass:


Security is understood, demanded, implemented and controlled autonomously by all employees.


Compliance, risks, incidents and controls are managed, controlled and measured throughout the organisation.


Management of compliance, risks, incidents and controls are accepted as an important responsibility of the executive management team and are being implemented in key roles in the organisation.


The need for security is recognised by management. Risk management and compliance appear in limited areas of the organisations (e.g. in projects).


Security relies on a few independent heroes in the organisation.

The maturity model illustrated in the form of an hourglass

The maturity model illustrated in the form of an hourglass

The model above is closely aligned with CMMI. The two should go hand in hand together nicely.

Fill out our free survey using approximately five minutes and find out how mature your organisation is in terms of handling risks, compliance, and security: