Someone in charge
There must be someone, staff or service provider, with whom the IT security buck stops. This job is not a good candidate for shared responsibility, as it requires far too much focus. At present, this responsibility often falls on the IT head. Having been an IT head for many years myself, I recognize the futility of this approach. An IT director or VP must by definition be a generalist. Such a person cannot also be a security specialist.
A defined budget
While maturity is not defined by the size of the budget, the infosec budget must be segregated and discreet from overall IT expenditures. If it ever comes down to choosing security or purchasing new laptops, security will always lose.
Good art work
By this I mean network and data flow diagrams making clear how data moves in an organization. The importance of this cannot be underestimated. I have been working this week with a PCI customer on a firewall review. I was struggling to get a clear picture of how their many firewalls fit into the operation, until they sent me their network diagrams, which I printed on large paper in full color. They answered more questions that would fit in 100 email messages.
One of the key principals of data protection is knowing what assets you have, and what they are worth. A picture in this case is truly worth a thousand words.
Tools that get used
Too often, we treat information security like the game "he who dies with the most toys, wins." Beyond the basics like firewalls and malware software, expensive tools are not essential. Such investments must be viewed as automating what can be done manually. When the tool becomes less expensive than the equivalent cost of man hours, you buy the tool. Regardless of what tools you buy, however, they must get used. In a recent post, I mentioned the term "shelfware," defined as security tools that sit on the shelf, or are not used to their full potential. If you buy it, get the full return on your investment.
Detailed recordkeeping and planning
At times, I think that terms like "incident response" and "incident management" scare people away unnecessarily. The basic concept is very simple, however, requiring just that you keep good records about what happens, and know in advance how you will deal with problems when they occur.
Testing, testing, and testing
Test your systems and application, and keep testing them, even when nothing changes. Find your issues before a hacker does, and then fix them.
Involvement by everyone
Everyone in the organization must accept that their responsibilities include information security. It has been my experience that most employees, once someone explains the high stakes, will do their part. The few that won't are a liability, and should be directed to alternate employment opportunities.
The bottom line -- security maturity is not measured by the amount of money you spend, but by how well you handle the fundamentals. It is all about focus.
Sign up for CIO Asia eNewsletters.