The Cultural Capabilities Maturity Model: Formalizing Cultural Maturity

I have developed my own maturity model, the Cultural Capabilities Maturity Model (CCMM), to facilitate communication and to give InfoSec programs another tool by which to tell the story of people-centric security. Like the FOXTROT case study and model of the financial impact of culture on security incident losses in Chapter 8, the CCMM is meant to be one more way to demonstrate to stakeholders what the security culture transformation project is intended to accomplish. Note that the CCMM is not limited to only information security culture. It can be used to describe organizational culture much more broadly.

But I will limit the discussion here to its utility in the context of a security culture transformation project. Figure 16-1 shows the CCMM.

The Cultural Capabilities Maturity Model

Figure 16-1 The Cultural Capabilities Maturity Model

The CCMM, like other maturity models, divides cultural capabilities into five levels of proficiency. At the lowest level, culture is not understood well at all and people in the organization operate on a form of instinct, reactively, without much insight into why the organization works the way it does. Returning to the iceberg metaphor from Chapter 3, they are like people above the surface of the iceberg who have no idea what is beneath the waterline or why the iceberg moves in the direction it does. At this level of cultural maturity, risk and uncertainty are high. The organization cannot identify cultural deficiencies or competing priorities that may negatively impact performance. At the top level of the CCMM, the organization has mastered its own culture to the point where it not only understands why people behave as they do, but can shape and drive behavior as necessary, quickly and efficiently, to meet just about any challenge. They are like people who have mapped the entire iceberg above and below the surface, calculated its mass and density, and created mechanisms to tow and push it in different directions. Cultural risk at this level is low, as the organization has a full understanding of its culture-performance linkages and can easily adjust to challenges.

Table 16-1 describes the specific organizational proficiencies that exist at each level of the CCMM.

CCMM Level

Organizational Proficiencies



  • ? Organizational culture is formally managed as a defined business process.
  • ? Cultural measurement and evaluation are automated within various systems.
  • ? “Optimal” cultural and behavioral traits are identified and embedded in business processes.
  • ? Culture, behavior, and performance are formally linked, regularly measured, and systematically reviewed.



  • ? Resources are officially devoted to cultural transformation and behavioral change efforts.
  • ? Cultural and behavioral interventions are regular processes.
  • ? Culture and behavior are measured over time to capture the outcomes of ongoing efforts and interventions.
  • ? Members of the organization are evaluated and held accountable on the basis of cultural performance as well as other performance measures.



  • ? Behaviors and cultural traits are formally measured and analyzed.
  • ? Cultural and behavioral patterns are observed and correlated with specific decision processes.
  • ? Cultural risks that impact business decisions are identified and documented.
  • ? Formal strategies are developed to reduce cultural risk, implement desired cultural traits and behaviors, and transform undesirable ones.
  • ? Cultural impact on performance is seen as a strategic consideration.



  • ? The need to analyze decisions and outcomes is understood.
  • ? The need to identify and change problem behaviors is recognized.
  • ? First attempts are made to formalize and encourage desired behaviors and cultural traits.
  • ? Policy and training are seen as proper ways to promote desired decisions.



  • ? Decisions are based on habit and “how we always do it”
  • ? “Gut reactions” control responses to challenges or changing conditions.
  • ? Decision analysis is rare or nonexistent.
  • ? Behaviors are learned and transmitted informally from person to person, not formally documented or analyzed.
  • ? Politics and individual emotions are key decision drivers.

Table 16-1 Organizational Proficiencies Within CCMM Maturity Levels

< Prev   CONTENTS   Source   Next >