Contact Us

Cyber security
maturity models
demystified,
and how to
implement one

Author: Phil Muncaster

A foundational pillar for any successful business today is the ability to manage cyber security risk effectively. Why? Because it's now a top business risk. According to The Global Risks Report 2021 compiled by the World Economic Forum, respondents rated "cyber security failure" as a "clear and present danger" over the next two years. But the right answer isn't simply to buy the best security solutions on the market. There's no way to fully cover every gap with technology alone, so security strategies must be more holistic than that.

This is where the cyber security maturity model comes in. When implemented effectively, it should contextualize security, helping to integrate it into business processes and measure progress over time.

What is a cyber security maturity model?

According to the U.K.'s National Cyber Security Centre (NCSC), "Maturity models can help to distinguish between organizations in which security is baked in and those in which it is merely bolted on." This in itself is a valuable exercise. But the GCHQ-backed intelligence agency adds that, while useful for assessing against past performance over time, they can't and shouldn't be used to compare against third-party organizations. That's because it's impossible to know the specific contextual factors that impact individual corporate maturity scores.

So why should security and business leaders care about maturity modeling? It's all about generating visibility and insight into what stage of development your organization is currently at and where it could be doing better. The maturity model provides a framework for making objective assessments across the most important domains and identifies what's needed to improve. This information can also be used to inform executive dashboards displaying current risk posture and to base future investment decisions on.

Within this model, even organizations that reach the top maturity level are on a continuous cycle of monitoring, evaluation and improvement.

Companies often don't know how mature their cyber security posture is until it's too late. Everything seems to be working just fine until it isn't. This partly explains the long and checkered history of big-name brands succumbing to security breaches. These incidents may otherwise have been foiled had victim organizations benefited from the insights driven by an effective process maturity model.

How do process maturity models work?

Security models help organizations make improvements over time by providing crucial visibility into their ability to manage cyber risk effectively and embed security into day-to-day and strategic operations. There are many preexisting types of process maturity models, including those run by the Department of Defense (Cybersecurity Maturity Model Certification) and the Department of Energy (Cybersecurity Capability Maturity Model Program, or C2M2).

Process maturity models enable organizations to assess key process areas (KPAs) or practices in various domains considered essential to a mature cyber security strategy. For example, the C2M2 assesses KPAs in the following:

  • Risk management
  • Asset, change and configuration management
  • Identity and access management
  • Threat and vulnerability management
  • Situational awareness
  • Information sharing and communications
  • Event and incident response, continuity of operations
  • Supply chain and external dependencies management
  • Workforce management
  • Cybersecurity program management

Each one of these domains has a description of the kinds of activities and processes organizations would typically follow at various levels of maturity. After assessing these, you'll be able to tell you which level in the process maturity model maturity level your organization is at and take appropriate action. Typically, there are five levels:

  1. Initial/starting: No security controls, no formal program and only ad hoc processes that aren't repeatable, measurable or scalable.
  2. Repeatable/developing: Some repeatable, documented processes and some security controls. Security leadership has been established, although communication is still informal.
  3. Defined: Roles and responsibilities are beginning to be established. Processes are becoming more formalized and standardized. More controls are being documented.
  4. Managed: Clearly defined roles and responsibilities. Controls and processes are being monitored and measured for compliance and continuous improvement but unevenly so.
  5. Optimized: Security is fully integrated into the fabric of the organization, its culture and business processes. Continuous improvement of security skills. Risk-based processes are automatically and comprehensively implemented, documented and optimized.

How can my organization implement a cyber security maturity model?

The first step to turning theory into practice is to decide whether to follow one of the many established cyber security maturity models out there or to develop one in-house. Once it's time to use your chosen maturity model, consider the following four key steps:

  1. Evaluation: Choose as broad a range of internal evaluators as possible, including operational and management staff, to assess the various required practices in each domain. The resulting scores will show your maturity levels for each domain.
  2. Analysis: The evaluation report will also highlight where there are gaps in performance. Assess whether these are meaningful and if they require further action.
  3. Prioritization and planning: Prioritize which gaps to fix, according to cost-benefit analyses, how important the business objective supported by the domain is or any other desired criteria. Then draw up a plan of action.
  4. Implementation: Implement the above plans and periodically evaluate your progress to check maturity is improving over time at the required rate.

Above all, be mindful that the whole process doesn't turn into a box-checking exercise for compliance. A cyber security maturity model is a great way to measure and improve your organization's security capability and processes, but it requires continuous management and attention to be effective.

To find out more on current cyber threat trends, check out Verizon’s latest Data Breach Investigations Report.