Contact us
Request demo →
Contact us

Determining your cybersecurity maturity

by Sebastiaan Bosman Blog 12 Aug 2021

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

Checking your posture

Your organisation’s cybersecurity maturity is an key ‘score’ for various reasons. Firstly, it can be used for setting and monitoring internal goals, benchmarks, and performance. This applies on departmental, as well as organisational levels. Does the organisation have the required systems, resources and knowledge in place to meet its goals? And if not, what should change to make it to the next step?

Secondly, a certain level of maturity can be critical in meeting mandatory requirements. For instance, insurance companies can set standards for cybersecurity levels their clients will have to meet. The same applies to regulatory measures set by governmental or institutional bodies, such as the GDPR law, or how the European Banking Authority has made full insights into financial institutions’ Supply Chains compulsory. More often than not, failing to meet these standards will result in hefty fines. Understanding where the organsation is doing well and where it needs to improve is imperative in staying compliant.


Realising a maturity score

Now, where do you start? All those different factors contributing to the overall cybersecurity maturity aren’t easily mapped. Luckily, cybersecurity maturity models help to differentiate between the topics, and determine the level of maturity for each category. An examples is the National Institute of Standards and Technolocy cyber security framework (NIST CSF). It had different ‘tiers’ to indicate the maturity for five cybersecurity phases:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The tiers differentiate the ways in which each of these phases is handled. It ranges from informal, reactive responses to a way of working that is more agile and risk-informed.

What model you should use depends on your type of organisation. Though there are regulatory overlaps between markets and verticals, there are also specific models for specific markets. In this whitepaper, we have examined the cybersecurity maturity model for municipalities (in Dutch). It marks the four levels of maturity for the overarching ‘Technology’ department of such an organisation.

For instance, a scoring category in a cybersecurity maturity model is the use of an incident reporting and monitoring system. When an organisation has no such system in place, they’d score themselves on the bottom level. The next step forward would be to implement such a system, featuring an audit trail. To get to level three, that system should also be integrated in the overall ISMS. The top level would be to have effective and periodic reviews of the systems and related processes.

Both of these examples are self-assessment models, meaning that they provide progressing levels of maturity for different topics, and the organisation will have to scale themselves on the right level.

Tough such methods are far more subjective, these models do clearly provide what the next steps for each cybersecurity phase are. It makes organisations aware of the growing opportunities in separate stages. At the end of an assessment, the accumulative scores result in an overall maturity level, and a clear distinction of the areas that can be improved on.


Ready for the next step

Conducting periodic maturity assessments will help you stay aware of the progress being made in different fields. Do you still meet the mandatory requirements? And are you still on track to meet the goals set at the beginning of the year?

Knowing where you stand also helps in determining what you need to get to the next level. There is no value in purchasing a complex and detailed security tool if you don’t have the foundation in place yet. Understanding the maturity position allows for the right resource allocation at the right time. Stay in control of the process and keep adjusting your path and pace to grow.

Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us