Cloud Security Maturity Model (CSMM) Interview


Why did you develop the Cloud Security Maturity Model (CSMM)?
Why are you introducing a new model for cloud now? Why should anyone care?
Can you tell us more about the model and the concepts behind it?
How would IANS clients use the model and apply it within the context of their own environments?
Aside from assessing cloud programs and projects, how else can the model can be used?
How do you see the model working with other security control frameworks that already exist?
In addition to the model, there is also a diagnostic tool. Can you describe the tool and its purpose?
If an organization already has an understanding of their maturity, why would they take the diagnostic?
What kind of organization would benefit the most from the model and this type of diagnostic?
We have multiple cloud environments – how does the diagnostic account for that?
What can I expect from the diagnostic output? What level of guidance does it provide?
How do you use the results from the diagnostic in a consulting project?
How often would you recommend a client complete the diagnostic and why?
What additional developments do you see for the model and diagnostic in the future?
How can the model and diagnostic results be used to present to business leadership or other audiences?

Is Your Cloud Security Optimized?

Security for cloud deployments is different from protecting traditional systems. With increased scrutiny on cloud security from large customers, Boards of Directors, and internal and external compliance assessors, all organizations need to consider the inherent security of their cloud stack and how they manage and control their access to it.

What will you get out of the diagnostic?

The CSMM diagnostic is designed to quickly determine your place on the maturity model. The point is to be able to pinpoint issues in your cloud security program and identify areas for improvement.

Take the Diagnostic Online
You will get maturity assessments across:
Entire Program Icon

Your Entire Program

You will get a score for your maturity across all three domains.

Each Domain Icon

Each Domain

You will get a score for each respective domain – Foundational, Structural, and Procedural.

Each Category Icon

Each Category

Finally, you will get a maturity score for each category within the model.


Mike Rothman

IANS Faculty

Mike is the President of Securosis, an information security research and advisory firm, as well as Co-Founder and President of DisruptOps, a cloud detection and response company. His breadth of experience in the information security space and bold perspectives are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike started practicing and advising on security topics over 25 years ago, and he’s been trying to get out of the business ever since…to no avail.


  • Cloud Security Practices & Maturity
  • Security Program Building & Management
  • Security Monitoring & SIEM
  • Security Automation & SOAR
  • Email & Web Security


Want to know more? Let us know how we can help you.

Success! Thanks for filling out our form! Loading animation

* Required Fields