There are several myths related with cibersecurity.
-
"Cybersecurity is a new industry and there is not enough information to measure maturity."
-
"You can only apply maturity models when you have well-defined processes, as it might be the case with software implementation. Impossible to do so with cybersecurity, where new and disruptive issues or situations show up every day."
These are in fact often used excuses, and it is actually possible, to take practical actions to allow quantitatively assessing the cybersecurity maturity level.
What do we mean by assessing maturity?
In general, a maturity model is a way to assess and improve skills, capabilities, and competencies. A maturity model can be defined as a set of characteristics, attributes or metrics that represent a situation status, a progression and the success level in a certain domain or discipline.
A maturity model allows an organization to assess practices against a collection of benchmark checkpoints. The assessment of these points enables a good understanding of the organization's current position and allows the building of a roadmap to help improve the maturity level according to business.
Are we improving our cybersecurity? Are we a cyber-resilient organization? How do we keep improving? Have we done better than last year? How can we find out?
Our top picks
-
Follow international standards, such as ISO 27001, PCI-DSS, NIST-CSF.
-
Choose the cybersecurity maturity framework that is best for your organization.
-
Perform an assessment to know your present status and risk profile.
-
Have a dashboard that measures maturity for each domain and control area. This will be from now on, the way to track your maturity level.
-
Set a maturity target for your organization. Do not seek for the highest maturity level, but choose the target according to the organization's risks.
-
Align the board and stakeholders with the objective.
-
Implement practices and controls. Focus should be on improving and on measuring improvement, not just aiming for a maturity level.
-
Perform regular assessment to measure progress and continuous improvement.
Above all, it is important to understand that this is not just a compliance issue, but must be a way of ongoing improvement that seeks to align maturity with business objectives, based on risks.