CYBER SECURITY \ CYBER SECURITY MATURITY MODEL

Cyber Security Maturity Model

What is the Cyber Security Maturity Model

Cyber Security isn’t a one-size-fits-all package that can be purchased off-the-shelf. Technology evolves, new threats emerge daily, and every company is different. The challenge with Cyber Security is that due to complexity it can be hard for people, even within the same organization, to agree upon and understand their posture and risk.

The Cyber Security Maturity Model seeks to use quantifiable metrics to help businesses understand where they are today, and set goals for tomorrow.

The Cyber Security Maturity Model has been designed to provide both guidance on Policy, Controls, Risk Management and Governance that are relevant today as well as to provide a framework that can adapt to the ongoing evolution of Cyber Security.

unsplash-image-lzh3hPtJz9c.jpg

Cyber Security Maturity - Hitting a Moving Target

Cyber Security isn’t a destination, it’s an ongoing journey with no finish line.

Achieving Cyber Security maturity is something that organizations should strive to reach over time. Once an organization has a mature Cyber Security program, they will be equipped with the knowledge and power to adapt to the ever-changing threat landscape – a key to becoming a resilient organization. It sounds simple, but gaining Cyber Security Maturity is a fluid, never-ending work in progress.

Cyber Security Maturity Levels / Tiers

The Cyber Security Maturity Model uses “tiers” to help a business identify where they’re at today and set goals for tomorrow. There are 5 different stages of Cyber Security Maturity, starting with Tier 1, the “Ad Hoc” level, and progressing to Tier 5, the “Optimized” level. Below we explore the tiers of the Cyber Security Maturity Model.

Cyber Security Maturity Model.png
 

Tier 1: Ad Hoc

In the Ad Hoc tier, organizations have minimal awareness around what Cyber Security means from a process and procedural perspective. There is probably not a formal Cyber Security program in place, no policies, or no procedures. From a technology perspective, there are very few controls in place with minimal oversight (if there are any).

  • Minimal Cyber Security Awareness / Knowledge

  • None-minimal Business Leader Involvement with Cyber Security

  • No formal Cyber Security program in place

  • Few Controls with zero-to-minimal standardization or oversight (eg. basic router/firewall, non-standardized or consumer Antivirus, unmanaged patching etc.)

  • No IT Risk Management process

Tier 2: Foundation

In the Foundation tier, organizations have some awareness around Cyber Security and have taken some basic steps towards cyber security such as using commercial-grade firewalls, standardized Antivirus software, password policies and perhaps even multi-factor authentication (MFA).

  • Some basic Cyber Security Awareness / Knowledge

  • Minimal Business Leader Involvement in Cyber Security

  • Rudimentary, template-based Cyber Security program in place

  • Some basic controls in place (eg. commercial firewall, standardized AV, managed patching, spam/phishing filter etc.)

  • No IT Risk Management process

Tier 3: Managed

When an organization reaches the Managed tier they perform annual vulnerability scanning and Cyber Security gap analysis, and have implemented controls against all common attacks. These clients are often driven by a requirement or desire to comply with a cyber security framework or regulation. These organizations often still have limited Executive or Board involvement.

  • Improved / General Cyber Security Awareness / Knowledge

  • Some Business Leader involvement in Cyber Security

  • Basic Cyber Security program with some customized processes (Incident Response Plan, Business Continuity Plan etc.)

  • Ongoing Staff Cyber Security Awareness education program

  • Controls against common threats (Ransomware Protection, Phishing Protection etc.)

  • Monitored Cyber Security and active threat response

  • Vulnerability Scanning

  • Annual Gap Analysis & Shore-up

  • None or Informal IT Risk Management process (Ad hoc Risk Assessments)

Tier 4: Secured

Organizations in the Secured tier have implemented technologies to compartmentalize breaches, classify data and verify the identity/integrity of their devices before they are granted access. These organizations are typically moving from a compliance-driven Cyber Security Strategy to a IT Risk Management strategy with risks reviewed quarterly and active Executive and Board involvement.

  • Heightened Cyber Security Awareness

  • Cyber Security a regular agenda item for business

  • Some Cyber Security governance process established

  • Advanced Cyber Security controls in place (network segmentation, network IDS, port security, zero trust device security / connectivity, restricted access to cloud apps, use of SASE / CASB).

  • Documented controls, policies and procedures

  • Formal IT Risk Management process with evidence of controls - reviewed annually

  • Quarterly Gap analysis and shore-up

  • Internal Cyber Security committee and designated Incident Response coordinator

  • Governance and oversight from Board of Directors

  • Independent 3rd party Cyber Security auditing

Tier 5: Optimized

When an organization has reached the optimized tier of Cyber Security maturity, Cyber Security has become a core practice in their business often with an executive in charge of cyber security and some internal resources including an Incident Response team. Tier 5 organizations have formalized IT Risk Management and Governance processes and committees.

  • Cyber Security driven Culture

  • Executive in charge of Cyber Security

  • Automated and human validation of Cyber Security controls

  • Controls tested and tweaked for continual improvement

  • Formal IT Risk Management with continual updates based on threat intelligence

  • Monthly IT Risk Management meetings and Board reporting