The Cyber Security Maturity Assessment (CSMA) is a gap analysis and risk assessment that utilizes cybersecurity best practices and recognized cyber frameworks to answer these questions surrounding your existing security program. While the CSMA is particularly valuable to medium and large businesses, the assessment can benefit organizations of any size.

The goal of the CSMA is to provide a view of your current security posture, an objective review of existing plans, and a guide to strategic planning. The CSMA will also help your organization develop tactical and strategic directions to further mature and strengthen your security program efforts.

The Cyber Security Maturity Assessment focuses on specific controls that protect critical assets, infrastructure, applications, and data by assessing your organization’s defensive posture. The assessment also emphasizes operational best practices for each control area, as well as the organizational effectiveness and maturity of internal policies and procedures.

The CSMA can be tailored to align with several different recognized cybersecurity control sets and frameworks based on your organization’s goals, industry, and maturity level such as Center for Internet Security Top 20 Common Security Controls (CSC20) , NIST Cybersecurity Framework (NIST CSF) , ISO/IEC 27001:2013 (ISO 27001),  NCA ECC-1: 2018 etc.

Maturity Level 1 – Initial – score between 1.0 and 2.0

Organizations at the initial level lack formal cybersecurity policies, functioning cybersecurity governance or score very low in multiple security domains.

In today’s cybersecurity climate, scoring at the Initial level is unacceptable for any organization that owns and manages IT assets, and owes any duties to shareholders, investors, regulators or people.

Recommended Actions to Improve the Score:

• A program to establish a strong CISO (or similar) position
• Develop or refresh the security charter
• Establish security governance committees
• Increase staff to both security policy and security infrastructure development positions.

Maturity Level 2 – Managed – score between 2.0 and 3.0

The typical organization at the Managed stage has a functioning security program, some security processes and infrastructure elements operating effectively, and multiple security initiatives under development. But they tend to be weak in basic domains such as network zoning / perimeters and score relatively low on overall identity and access management (IAM). It’s also unusual to find good levels of accountability and automation in security processes or technology, or to find advanced vulnerability management, data loss prevention (DLP) or security information and event management (SIEM) technologies operating at the Developing stage.

Recommended Actions to Improve the Score:

• Fix the gaps found during the assessment
• Implement DLP and SIEM
• Implement service ticketing, asset management , and IAM
• Deploy privileged access management (PAM)

Maturity Level 3 – Defined – score between 3.0 and 4.0

Organizations at the Defined stage have established a comprehensive set of organization-wide security processes, policies and documented technical controls. However, they typically remain over-reliant on individual efforts. Processes such as change management, audit and supply chain security still need to improve. More work is also needed on increasing role-appropriate security knowledge and awareness as well as advancing security monitoring, analytics, and privileged access management control sophistication.

Recommended Actions to Improve the Score:

• Enhance verification and accountability by implementing audit, change management, advanced security monitoring and metrics
• Build strong risk management
• Review and monitor metrics like key performance indicator (KPI) and key risk indicator (KRI)

Maturity Level 4 – Quantitatively Managed – score between 4.0 and 5.0

Every organization wish to claim its security program is “well-managed” and as they progress into the quantitatively managed maturity level, they can say that with assurance. At level 4, organizations have defined and built a comprehensive set of people, process and technology controls. However, they remain reliant on manual processes and face challenges sustaining the security program in the face of continuous change to threat, regulatory, technology and business landscapes.

Recommended Actions to Improve the Score:

• Focus on increasing the level of automation for the infrastructure and processes.
• Expand functions such as vulnerability management and security monitoring to cover hybrid public/private cloud environments
• Access management, security monitoring and DLP advanced to support traditional, virtual, mobile and cloud endpoints.

Maturity Level 5 – Optimized – score equals or greater than 5.0

At the optimized maturity level, organizational security programs (almost) have it all. They have raised the bar on organization-wide security process and technology infrastructure to a pretty high level, including accountability, metrics, and automation. But let’s clarify, not all organizations at this level are so intent on continuous improvement that they’ll keep throwing increased funding and resources at security for security’s sake.

Recommended Actions to Maintain the Score:

• Focus on sustainability and adaptability by continued work on architectural approaches to abstract and future-proof both process and technology interfaces.
• Establish an organizational culture that supports continuous improvements in security and risk management-related skills, processes and technologies.

The cybercomply Cyber Security Maturity Assessment service consists of interviews with key people in the organization like cybersecurity team, IT team, and a detailed review of policy documentation and operational procedures. Our experts are ready to help you get to know your cybersecurity program—and learn how to improve it.