Information security function governance maturity

I've observed the following evolution from information security functions over the years as they grow in maturity. I've represented this evolution in maturity below in a series of statements, paraphrased from many discussions from many organisations. Keen to get people's feedback, and more submissions of similar statements and where they fit in the order below.

1. "What do you mean ? We've got security we have a firewall and antivirus?"

2. "So we have to comply with (insert compliance requirement here)? Well we better write a security policy on that"

3. "Gee we have a lot of compliance requirements now. We better start tracking them in a compliance requirement register so they get put in the policy".

4. That security incident wouldn't have occurred if people comply with the damn policy! How do we check they comply with the policy? Policy compliance checks that's how.

5. Hey there's a project over there, that could bring in new risks. Lets do a policy compliance check on it.

6. Hey it was good we did that compliance check there was non-compliance and new risks were being introduced. We better make a risk register to record these risks

7. No-one knows about the security policy, and they won't heed it! We better get some executive commitment in a security charter as they won't read the whole set of documents and do some security education.

7. No-one is fixing the policy non-compliances we are noting, we need to track them. Lets issue exemptions and put them in an exemption register

8. I wish all these projects would stop asking me how to comply with policy. Maybe we need an enterprise security architecture to show them what to do?

9. Its hard to translate the security policy into an enterprise security architecture, maybe we need some specific purpose standards and some guidelines?

10. Darn, that security incident occurred in an existing system/business process! Maybe we should do compliance checks on all the Business As Usual (BAU) systems?

11. AArgh! There are so many of these BAU systems! we need to record these and identify the critical ones so we can start on the most important ones first. Wish we had some asset management and data classification in place

11. Wow there's a lot of information assets, how are we going to classify all of these? Lets get someone embedded in each business unit to help us with this.

12. What about business processes, they create the information assets that go into the systems that make the systems critical. We'll do risk assessments on business processes to help us identify the critical systems!

13. Wow we've got a lot of risks in risk registers for each business unit and they are all written differently, it would be good to get an enterprise view of this. We need to build/buy a risk management system pre-populated with risk descriptions.

14. The policy and standards represents controls, maybe we should identify the key controls and test them and put the risks in the risk management system.

15. Too many spreadsheets! I wish I could standardise all this control testing, can we put that in the risk management system?

16. People are saying we say no too often and too late in the project lifecycle. How can we engage with the business better? I guess we could empower projects to set their security requirements, conduct their own risk assessments and control testing? Trust but verify! It works for Microsoft!