How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?
Checking your posture
Your organisation’s cybersecurity maturity is an key ‘score’ for various reasons. Firstly, it can be used for setting and monitoring internal goals, benchmarks, and performance. This applies on departmental, as well as organisational levels. Does the organisation have the required systems, resources and knowledge in place to meet its goals? And if not, what should change to make it to the next step?
Secondly, a certain level of maturity can be critical in meeting mandatory requirements. For instance, insurance companies can set standards for cybersecurity levels their clients will have to meet. The same applies to regulatory measures set by governmental or institutional bodies, such as the GDPR law, or how the European Banking Authority has made full insights into financial institutions’ Supply Chains compulsory. More often than not, failing to meet these standards will result in hefty fines. Understanding where the organsation is doing well and where it needs to improve is imperative in staying compliant.
Realising a maturity score
Now, where do you start? All those different factors contributing to the overall cybersecurity maturity aren’t easily mapped. Luckily, cybersecurity maturity models help to differentiate between the topics, and determine the level of maturity for each category. An examples is the National Institute of Standards and Technolocy cyber security framework (NIST CSF). It had different ‘tiers’ to indicate the maturity for five cybersecurity phases:
The tiers differentiate the ways in which each of these phases is handled. It ranges from informal, reactive responses to a way of working that is more agile and risk-informed.
What model you should use depends on your type of organisation. Though there are regulatory overlaps between markets and verticals, there are also specific models for specific markets. In this whitepaper, we have examined the cybersecurity maturity model for municipalities (in Dutch). It marks the four levels of maturity for the overarching ‘Technology’ department of such an organisation.
For instance, a scoring category in a cybersecurity maturity model is the use of an incident reporting and monitoring system. When an organisation has no such system in place, they’d score themselves on the bottom level. The next step forward would be to implement such a system, featuring an audit trail. To get to level three, that system should also be integrated in the overall ISMS. The top level would be to have effective and periodic reviews of the systems and related processes.
Both of these examples are self-assessment models, meaning that they provide progressing levels of maturity for different topics, and the organisation will have to scale themselves on the right level.
Tough such methods are far more subjective, these models do clearly provide what the next steps for each cybersecurity phase are. It makes organisations aware of the growing opportunities in separate stages. At the end of an assessment, the accumulative scores result in an overall maturity level, and a clear distinction of the areas that can be improved on.
Ready for the next step
Conducting periodic maturity assessments will help you stay aware of the progress being made in different fields. Do you still meet the mandatory requirements? And are you still on track to meet the goals set at the beginning of the year?
Knowing where you stand also helps in determining what you need to get to the next level. There is no value in purchasing a complex and detailed security tool if you don’t have the foundation in place yet. Understanding the maturity position allows for the right resource allocation at the right time. Stay in control of the process and keep adjusting your path and pace to grow.