A cyber maturity assessment on the surface can seem quite a blunt tool for security posture assessment, however, lift the lid a little and you’ll discover that there is an entire range of assessments that can be applied in all kinds of different forms, resulting in valuable insights.
The stereotypical use of a cyber maturity assessment is to assess an organisation’s maturity of cyber capability, usually against some kind of CMM (Capability Maturity Model). Many of the big4 and security consultancies do this in many different ways but it often boils down to the same components.
Firstly, you make your assessment against a cyber capability assurance framework which holds a set number of cyber domains or capabilities that are used to assess and report against, for example;
- Identity and Access Management
- Network Security
- Physical Security
- Security Platform Administration and Management
- Secure Development Lifecycle Management (SDLC)
- The list goes on…
A team of security professionals then come into your organisation, interview members of IT Security, IT, the business, CISO, Heads of IT/Change/Technology/etc. to understand your capabilities in the defined capabilities in the framework. Using various methods and tools to ensure objective and consistent assessment across all domains, the cyber capabilities are then reported on by maturity, usually using the CMMI cyber maturity scale (1-5, 1 being the most immature and 5 being the most mature).
In a nutshell, that’s what a cyber maturity assessment entails. However, over the years the foundational reasons why organisations are using these types of assessments has been changing dramatically.
Almost a decade ago, these assessments were being primarily used as a tool to drive education and awareness to more senior decision makers in an organisation to try and convince them of the importance and need for focus on security issues. It was a time when even in some of the largest FTSE100 and Fortune 500 companies, boards of directors still needed convincing that security should be at the top of their list. Simply put, the maturity assessment was a great tool to show the awful state that our internal controls were in and thus instigate some action (and ultimately gain funding) to help uplift the security capabilities of the firm.
However, as security and the industries have moved on, this moved away from simple awareness and moved towards a decent mechanism by which you could actually gain funding by. It no longer was simply used as a scare mongering tactic for board members, it was forming parts of business cases to demonstrate where the funds needed to be applied. One could use ‘Target Maturities’* to show where different levels of investment would take the organisation in terms of cyber capability maturity. In my opinion, this is where we start to get into the powerful applications of the cyber maturity assessment.
*Target Maturity – based on the same CMM as the assessed “current state maturity”, a target maturity sets out either; a) where an organisation wants to be in terms of future cyber maturity for a given cyber capability, or; b) as a result of a defined scope of work (e.g. an in-flight project that is establishing a Security Operations Centre) it can illustrate what the progression in cyber maturity will be once the project has completed.
Furthermore, with the tools for delivering and reporting these kinds of assessments expanding and becoming more fully fledged offerings, organisations have more recently started using cyber maturity assessments as a strategic tool to drive change through the business and report on the strategic risk reduction over time. This has been typically done by performing an initial ‘normal’ assessment (usually 4-10 weeks in duration depending on scope) and then agreeing to perform assessment ‘snapshots’ on an ongoing basis at a set frequency (usually 6 or 12 months, depending on the level of change occurring in the firm). A 6 month frequency can be good for organisations that have significant security programmes in flight and they want to regularly report/validate cyber maturity improvement, otherwise annual snapshots are adequate.
This journey for cyber maturity assessments from a simple tool for awareness to senior executives, through to being an active part of funding requests, all the way to becoming a tool for demonstrating strategic risk reduction in the long term is quite remarkable. It is testament to how far the market has come and also demonstrates the ongoing applicability of a seemingly ‘basic’ tool for many interesting and valuable purposes.