Abstract
While large organizations often lead in cybersecurity maturity with average SAMM scores reflecting structured governance, SMEs struggle to move beyond ad-hoc, reactive security. Our research addresses this critical “maturity gap” by presenting results from recent OWASP SAMM assessments within the SME ecosystem. Although these organizations often show a significant understanding of enterprise-wide risk, they face substantial hurdles in performing threat assessments, designing secure architectures, and implementing secure build processes.
Our research further shows that SMEs often favor tangible, reactive solutions over a structured approach. This results in a critical absence of systematic metrics and a lack of strategic coherence at both the organizational and cross-project levels. To bridge this divide, we explore a multidisciplinary approach for transitioning from fragmented security tasks to a unified, future-proof strategy. We propose actionable pathways that enable SMEs to scale their security efforts efficiently within their unique resource constraints, simultaneously building a robust foundation for compliance with emerging regulatory frameworks such as NIS2 and the CRA.