Wikipedia reports that Philip Crosby is considered the forefather of the Capability Maturity Model.

I have been using this model extensively for over ten years when consulting on security controls. It is a far better way of documenting and illustrating control status rather than pass/fail, as it shows a continuum of improvement.

In other words, rather than telling a company they “failed” the security test, you can say they have achieved a initial step and only have a couple more to go.

With that in mind, I just ran into a rather funny illustration. It comes from “one of the first publications” by Crosby, meant to help reduce defects in guided missle design and manufacture.

The Control Maturity Levels, just for handy reference, are these:

0 Control is not documented

1 Control is documented

2 Control is consistently applied (implemented)

3 Control is working (tested)

4 Control is measured

Companies often mistakenly rest on their laurels after achieving level 1, documentation of controls. This is the equivalent of trust, without verification, and rarely accurate. Meanwhile security firms often look for evidence of level 3. The gap is where the friction of compliance comes from.

Tests quickly prove vulnerabilities exist, but the real challenge is to find management that is able to move a company solidly into level 2 (implementation). In other words, do they have someone who can reliably answer the question “Will it work?”