Defining Scope

Determining the right scope is one of the most important decisions when starting a SAMM implementation. Should you assess the entire organization, a single business unit, or one team? The answer depends on your goals, context, and available resources, but if you’re starting out, the guidance is clear: start small.

A willing, representative team is the right entry point. It keeps the effort manageable, lets you demonstrate value quickly, and builds the foundation for expanding SAMM across the organization.

Evaluate your goals

Start by evaluating your goals. What do you want to achieve?

  • Do you aim to identify and prioritize areas of improvement in your organization’s security posture?
  • Do you seek to establish a baseline for measuring the effectiveness of your security program over time?
  • Do you want to demonstrate compliance with industry standards and regulations?

Defining your goals clearly ensures that your assessment is focused and effective, and that the resulting roadmap is aligned with your organization’s overall security strategy. Involve all relevant stakeholders, business leaders, development teams, security professionals, and other key personnel, to guarantee the assessment is comprehensive and aligned with the organization’s broader goals and priorities.

Consider your context

Think about your organization and the type of business context it operates in.

  • What value does it provide?
  • What products and services does it deliver?
  • Who is the customer?

Different types of business have varying security requirements based on customer type, geographic location, and their products and services. Compliance and risk exposure for a banking, e-commerce, or healthcare application will differ from those for a consumer game.

Internally, large organizations may have multiple lines of business with distinct regulatory obligations that require different levels of acceptable risk. Understanding your context is crucial to conducting a successful SAMM assessment and ensuring your roadmap aligns with your objectives.

Be realistic

Set realistic goals in terms of scope.

  • Are you ready to implement an organization-wide assessment?
  • If you’ve done this before, can you go a bit bigger this time? What maturity level do you need to achieve for the different business functions?
  • How far off do you think you are?

Tailor the assessment scope to your specific needs and objectives, ensuring that you have the necessary resources to carry out the assessment successfully.

Key considerations

SAMM implementation may vary across teams. Maturity objectives and outcomes will differ if teams work with different methodologies or technology stacks.

If there are multiple business lines in your organization, consider their business-IT alignment issues independently. Compliance requirements may not be the same for all teams or applications.

You must also account for outsourced development: don’t set higher standards for your internal teams than for your suppliers.

Examine the available resources, budget, and timing. These resources are not infinite and must be allocated strategically.

Defining the scope

Careful consideration of the organization’s overall ambition, resources, and current maturity level is essential when determining scope. Once you’ve taken these factors into account, evaluate your options.

If your organization has limited resources or a specific area of concern, it may be most effective to assess a single line of business, product group, system, or team. If your organization has a broad range of operations, assessing the entire organization may provide a more comprehensive overview. Ultimately, tailor the scope to your specific needs and objectives.

When choosing your scope, make sure that everyone within it works in the same manner. They should follow the same procedures, be aligned in their practices, and have the same management style. Inconsistencies are a sign that your scope is too broad.

Starting out: your first assessment

If this is your first SAMM assessment, start with a willing team. This gets you started with a group that’s open and eager to do the work, making the scope more manageable. Choose a team that’s representative of the organization: one that other teams can relate to.

Starting with the entire organization is usually a steep learning curve for everyone involved. Demonstrate the value of adopting SAMM first, then grow from there.

Flag any practice that may be shared with multiple teams. Governance and parts of Operations are often shared functions.

Scaling up: multiple teams

If your scope already includes multiple teams, some will likely be working in different ways. If that’s the case, you may need to run multiple assessments. Think about consistency: if the same team works on different applications in a similar way, consider a single assessment for that team.

Some practices or business functions may be similar across all teams. If training is shared organization-wide, you can reuse scores for related activities in Governance. Verify that shared practices actually reach and are applied by all teams in each assessment.

Dividing assessment questions by role also helps manage multiple assessments: only involve the relevant people (for example, asking Verification questions to testers). Cross-check that teams apply the guidelines set by the people interviewed for each practice.

Key takeaways

Regardless of scope, document the context of the assessment, including assumptions and stakeholders. SAMM is about measuring improvement over time, so you will repeat similar assessments in the future. Documenting context is how you achieve repeatability.

Set realistic expectations and targets. Understand the resources available and establish goals that are achievable given those resources.

Starting with a single team is an effective strategy when introducing SAMM in your organization. Build a solid foundation, create momentum, and expand from there, growing from one willing team to a more robust and secure SDLC across the organization.

Once you have a full SAMM cycle, consider donating your datasets to the benchmark initiative .