<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website
search
close

Determining your cybersecurity maturity

by Sebastiaan Bosman Blog 12 Aug 2021

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

Checking your posture

Your organisation’s cybersecurity maturity is an key ‘score’ for various reasons. Firstly, it can be used for setting and monitoring internal goals, benchmarks, and performance. This applies on departmental, as well as organisational levels. Does the organisation have the required systems, resources and knowledge in place to meet its goals? And if not, what should change to make it to the next step?

Secondly, a certain level of maturity can be critical in meeting mandatory requirements. For instance, insurance companies can set standards for cybersecurity levels their clients will have to meet. The same applies to regulatory measures set by governmental or institutional bodies, such as the GDPR law, or how the European Banking Authority has made full insights into financial institutions’ Supply Chains compulsory. More often than not, failing to meet these standards will result in hefty fines. Understanding where the organsation is doing well and where it needs to improve is imperative in staying compliant.

 

Realising a maturity score

Now, where do you start? All those different factors contributing to the overall cybersecurity maturity aren’t easily mapped. Luckily, cybersecurity maturity models help to differentiate between the topics, and determine the level of maturity for each category. An examples is the National Institute of Standards and Technolocy cyber security framework (NIST CSF). It had different ‘tiers’ to indicate the maturity for five cybersecurity phases:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The tiers differentiate the ways in which each of these phases is handled. It ranges from informal, reactive responses to a way of working that is more agile and risk-informed.

What model you should use depends on your type of organisation. Though there are regulatory overlaps between markets and verticals, there are also specific models for specific markets. In this whitepaper, we have examined the cybersecurity maturity model for municipalities (in Dutch). It marks the four levels of maturity for the overarching ‘Technology’ department of such an organisation.

For instance, a scoring category in a cybersecurity maturity model is the use of an incident reporting and monitoring system. When an organisation has no such system in place, they’d score themselves on the bottom level. The next step forward would be to implement such a system, featuring an audit trail. To get to level three, that system should also be integrated in the overall ISMS. The top level would be to have effective and periodic reviews of the systems and related processes.

Both of these examples are self-assessment models, meaning that they provide progressing levels of maturity for different topics, and the organisation will have to scale themselves on the right level.

Tough such methods are far more subjective, these models do clearly provide what the next steps for each cybersecurity phase are. It makes organisations aware of the growing opportunities in separate stages. At the end of an assessment, the accumulative scores result in an overall maturity level, and a clear distinction of the areas that can be improved on.

 

Ready for the next step

Conducting periodic maturity assessments will help you stay aware of the progress being made in different fields. Do you still meet the mandatory requirements? And are you still on track to meet the goals set at the beginning of the year?

Knowing where you stand also helps in determining what you need to get to the next level. There is no value in purchasing a complex and detailed security tool if you don’t have the foundation in place yet. Understanding the maturity position allows for the right resource allocation at the right time. Stay in control of the process and keep adjusting your path and pace to grow.

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Determining your cybersecurity maturity

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

read more

Do you have a question?

Our experts have the answers

Contact us