66 PART TWO PROCESS INSTITUTIONALIZATION AND IMPROVEMENT
The concept of using a maturity model to improve operational resilience may not
at first glance appear to provide significant advantages over the simple imple-
mentation of a code of practice. Codes of practice, after all, typically represent a
cumulative view of how an industry faces a challenge such as information secu-
rity and can be of great benefit to all organizations that share this challenge. For
some organizations, using practices alone will bring about improvement—
improvement in the way that passwords and user IDs are managed, how inci-
dents are handled, or how continuity plans are developed and tested. But lasting
improvement depends on the organization’s ability to develop and inculcate a
culture around managing operational resilience—that the operational resilience
of the organization is everyone’s job and responsibility. Security and continuity
training and awareness alone do not create such a culture or provide it with the
foundation it needs to flourish, particularly during times of stress.
At its core, a maturity model is about improving the organization’s capacity
and competency for producing high-quality results, no matter the circumstances.
When such an approach is taken, the practices performed by the organization are
embedded within a culture of improvement so that the performance of these
practices is measured and improved and the capability is sustained. This is criti-
cal in managing operational risk because not all risks can be identified and
responses to realized risk cannot always be planned.
A maturity model with a capability dimension provides a platform for measur-
ing process institutionalization—the degree to which a process is embedded in
the culture. Measuring the level of institutionalization of operational resilience
management processes tells the organization something about how likely it is to
retain these processes in changing risk environments.
In Part Two of this book, we discuss the capability dimension of CERT-RMM
and the impact it can have on transforming the organization’s performance. We
also provide guidance on how to use the model to begin an improvement effort
or to get a “health check” on how your organization is managing operational
resilience today.