Cyber security maturity models help defenders understand their security posture.
Organizations, with a Cyber security maturity model, can spot threats and find weaknesses across their attack surface. They tend to have formal and well-recognized procedures and processes, use risk to guide security decisions, and take an offensive approach to security.
As threats get more targeted and evasive, having a mature security posture is the only way to reliably reduce cyber risk.
Unfortunately, most organizations do not have a Cyber Security Maturity Models posture.
According to recent McKinsey research, most enterprises run their cybersecurity programs at a relatively immature level.
- After surveying security leaders in over 100 companies across different sectors, McKinsey found that only 20% were at an advanced level of cybersecurity maturity.
- 80% of the companies McKinsey surveyed were still in the “foundational stage” of maturity. This means that most organizations are taking an “ad-hoc management” approach to security rather than a proactive, mature one.
In an environment where maturity is more important than ever, cyber security maturity models provide a road map for safeguarding IT systems against cyber threats.
Benefits of Cyber Security Maturity Models
Cyber security maturity models can help prove that an organization is a trustworthy supplier.
However, achieving access to federal contracts is not the only benefit of following a maturity model.
Cyber security maturity models can also help CISOs and security teams:
- Benchmark their security posture against industry norms.
- Communicate security gaps and requirements to their boards and other stakeholders.
- Optimize their security investments and avoid duplication across their security tool stacks.
- Understand how effective their current security posture is against advanced threats.
- Balance their security portfolio across different environments and activities.
These benefits arise because security maturity is a continuous process.
Organizations with a Cyber security maturity model, never stop finding weaknesses, updating controls, and optimizing their ability to detect and prevent cyber-attacks.
Organizations in sectors ranging from healthcare and education to critical industries and manufacturing can benefit from following Cyber security maturity models.
Compliance vs. Risk vs. Maturity
There is no single definition of Cyber security maturity models. Instead, cyber security maturity can be defined in terms of its relationship to compliance and risk.
Compliance with one or more regulations is a foundational goal for most enterprise security programs.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), or the Payment Card Industry Data Security Standard (PCI DSS) require covered organizations to have a certain minimum standard of security controls and processes.
Compliance means ticking the boxes required under these regulations.
In cybersecurity, risks are measures of how much particular events or circumstances (like a data breach) threaten an organization.
Risks can be quantified and registered. For example, a risk register might determine that a firewall misconfiguration that allows network access would cost the organization x amount annually.
Understanding risk, and using it to make decisions, is an integral part of maturity.
A Cyber security maturity model can be described as a measure of quality. Maturity is how “good” an organization is at reducing risks.
To understand what this means, consider how an organization could apply a security control in a mature or an immature way.
For example, imagine an organization that wanted to block incoming traffic on its network edge. Its security team could do this by either:
(a) installing a firewall to block incoming traffic.
(b) blocking all traffic and only allowing allowlist outgoing traffic.
Here, option b would be the more mature option.
Five Notable Cyber Security Maturity Models
Cyber security maturity models show organizations what they must do to refine and iterate their security performance.
Here are five of the most widely used models for modeling cyber maturity.
NIST Cyber Security Framework (CSF)
The National Institute of Standards and Technology (NIST) CyberSecurity Framework (CSF) is a risk management framework.
The NIST cybersecurity framework is not strictly a Cyber security maturity model. However, it is often used by organizations to assess their cybersecurity maturity.
The CSF is a way for security teams to assess the different domains of their organization’s cyber program (NIST specifies 17 domains) across five key security functions:
Each NIST CSF function has its own sub-categories.
CSF controls are customizable to an organization’s own internal systems and processes. Every organization will have a different answer for any given NIST CSF sub-category.
The NIST CSF allows teams to map their Cyber security maturity model to one of four tiers: Partial, Risk-Informed, Repeatable, and Adaptive.
Organizations that want to show their alignment with the NIST CSF use a self-assessment process.
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) is a security maturity model that aims to reduce the supply chain risk created by contractors of the U.S. Department of Defense (DOD). It was created by the DOD.
The CMMC framework assesses cybersecurity risk across 17 domains and 171 cybersecurity practices.
Based on the number of cyber security practices an organization has in place and its alignment with NIST SP 800-171 alongside other cyber hygiene practices, the CMMC ranks an organization’s security maturity on a scale of one to five.
To be classified as level five in the CMC, an organization must have 171 CMMC cyber practices and meet a series of other criteria.
CMMC compliance needs to be verified by a third-party assessor.
CMMC 2.0 is the most recent version of the CMMC. It was announced in November 2021 and is currently in the rulemaking phase.
Once finalized, CMMC 2.0 will simplify CMMC requirements. The CMMC 2.0 will use 110 cybersecurity practices aligned with NIST SP 800-171 and 800-172.
The CMMC 2.0 will also plot a defense contractor’s security maturity on one of three levels: Foundational, Advanced, and Expert.
By 2026, CMMC 2.0 compliance will be a requirement for almost all DOD contractors or organizations that wish to compete for contracts.
Organizations can achieve the initial CMMC 2.0 level (foundational) through self-assessment.
CMMC certification level 2 verification happens either through self-assessment or, in the case of organizations dealing with sensitive information, through a tri-annual third-party audit.
CMMC level 3 requires a tri-annual DOD-led audit.
Cybersecurity Capability Maturity Model (C2M2)
The Cybersecurity Capability Maturity Model (C2M2) was developed by the Department of Energy (DOE) in 2012.
Initially developed for DOE subcontractors and operational technology (OT) security, the C2M2 can be applied to any organization in any sector.
The C2M2 assesses security performance across ten domains, from Risk Management to Cybersecurity Program Management.
Each C2M2 domain contains several objectives, and each objective has its own cybersecurity requirements. For example, the THREAT domain has three objectives (Reduce Vulnerabilities, Respond to Threats, and Management).
The C2M2 grades a company’s maturity by assessing its effectiveness at performing these objectives.
Maturity is graded on four levels: 0, 1, 2, 3. The top level—3—is for organizations with a proactive risk assessment and management program.
Organizations self-certify C2M2 compliance.
CISA’s Zero Trust Maturity Model
The Cybersecurity and Infrastructure Security Agency’s (CISA’s) Zero Trust Maturity Model is a cyber security maturity model that gives organizations a roadmap to zero trust.
The zero-trust maturity model uses five pillars to describe the road to a zero-trust environment:
- Application Workload
Within each of these five pillars are three maturity stages: traditional, advanced, and optimal.
Organizations can use the zero trust maturity model to track the evolution of their zero trust program. As an organization becomes more mature in its zero-trust journey, the solutions it uses will become more automated and dynamic.
For example, under the identity pillar, a “traditional” level of zero trust maturity means using passwords and multifactor authentication (MFA) to verify a network user’s identity.
When an organization progresses to “optimal,” it will use real-time machine learning analysis and continuous validations to prove identity instead/as well.
Get Visibility Into Your Organization’s Maturity with Randori ASM Cyber Security
Randori’s platform can help you understand your Cyber security maturity model level and gain accurate insight into the performance of your security controls.
The ultimate test for any security posture is its performance against real-world attacks.
Randori’s combined continuous automated red teaming (CART) and attack surface management (ASM) platform lets you see and attack your attack surface like a real attacker would.
Try a demo now.