This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to set maturity and capability targets
Hello Rob and all the communication,
Many thanks for your work and your powerful publications in the field of SOC. I have a question about SOC-CMM. How to determine the target? You indicate that it is based on ambitions and that it is optional. Is this based on a feeling, an estimation from the SOC manager? I'm having trouble figuring out how to set it.

Thanks for your help,
Have a good day.
Hi Anders,

Sorry for the late reply.

Determining where to set the target is a strategic decision. I personally believe that the appropriate capability and maturity level for a SOC depends on:
- ambition: what goals are you trying to achieve with the SOC?
- risks: what risks are you facing as an organisation and what role does the SOC have in mitigating those risks?
- organisational maturity level: how mature is the organisation? Having a mature SOC in an organisation with low overall maturity will create a mismatch.
- threats: what threats are you protecting against and what capabilities do you need to protect against these threats? This also depends on the profile of the threat actors you are facing and will change over time.
- willingness to invest in maturity. Maintaining a higher level of maturity requires more effort. Thus, more personnel is required.

All these are factors that contribute to setting your target.

Hi Rob,

no problem for the delay, it was holidays for many people Wink

Thanks a lot for your answer.
What I find a bit complicated for the first time using the method is to project yourself when you don't really know what each maturity level corresponds to.
For example, in my work, for an audit based on ISO 27001, we have a small survey to help determine a maturity target.
I don't know if you keep in a corner some feature requests but do you think that would be interesting to include ?

Have a good day and good week-end

Translated with (free version)
Hi Anders,

I agree that setting a target is difficult if you have no reference. I think many users will be able to set a concrete maturity goal only after they have completed an initial assessment. I may include some guidance on setting maturity targets (basically, what I've posted above) in the SOC-CMM. A feature to include a survey for setting the maturity target is not something I want to pursue at this moment.

Of course, if you have ideas about a more concrete survey to determine the maturity target, feel free to post it here!


Forum Jump:

Users browsing this thread: 1 Guest(s)