January 25, 2024
Cybersecurity's overarching purpose is to better protect an organization against cyber events. However, especially in the corporate setting, it's not enough for chief information security officers (CISOs) to say they've implemented a patch or a firewall and, therefore, their systems are "more" secure. Not only is the result’s description vague, but it also offers very little insight into its ROI.
Cybersecurity leaders need to justify their initiatives with objective forecasts and be able to explain that a specific program reduced the risk of an event and by how much. Unfortunately, this level of communication can be difficult to achieve without a framework or a means of measurement. After all, to demonstrate improvement, there must first be a basis for comparison.
It is precisely this challenge that motivated organizations to create cybersecurity maturity models, which serve as roadmaps for CISOs that need to establish KPIs, remain compliant with government regulations, and explain their resource allocation to the board. As the cyber risk landscape continues to grow in scale and sophistication, adopting a maturity model becomes crucial for effective management.
Essentially, a cybersecurity maturity model is a structured framework designed to evaluate an organization's cyber posture management processes, practices, and controls. It provides various criteria for CISOs to determine how well the company is equipped to identify, detect, respond to, and recover from cybersecurity threats and incidents.
By employing a maturity model, CISOs gain comprehensive insights into their organization's cyber posture within the context of the current cyber risk landscape. They can then leverage their findings to pursue tailored initiatives that elevate the business's maturity levels, precisely understanding how their actions contribute to a more secure environment according to a specific aspect of cybersecurity.
There are many cybersecurity maturity models an organization can choose from, ranging from ones that are more general to ones that are tailored to a specific industry. The most commonly used maturity models for cybersecurity are NIST CSF, CIS, and the Cybersecurity Maturity Model Certification (CMMC). While some of their framework metrics and parameters overlap, each of these models illuminates different details about a company’s security posture.
The National Institute of Standards and Technology (NIST) first released its cybersecurity maturity model in 2014, creating a set of guidelines for organizations to describe their cybersecurity posture, identify and prioritize areas for improvement, assess maturity progress, and communicate cybersecurity risk with key stakeholders. As of November 2023, NIST has drafted an updated framework, NIST 2.0, accounting for the latest cybersecurity trends.
The NIST CSF was designed to assist organizations across industries and lifecycle phases and consists of cores, implementation tiers, and business profiles. The cores are “a set of desired cybersecurity activities and outcomes" and are divided into six functions: Identify, Detect, Protect, Respond, Recover, and Govern. Each core is also broken down into categories that provide further specifications on techniques for better cybersecurity management.
The implementation tiers, ranging from partial (tier 1) to adaptive (tier 4), describe the degree to which an organization's practices adhere to the characteristics defined in the core categories and subcategories. Finally, NIST offers the "profiles" component as a means for businesses to adapt the cores and tiers according to their unique requirements.
The Institute also offers a specific 7-step process on how to use its risk management blueprint. The NIST cybersecurity framework is an extremely useful maturity model that offers clear details for CISOs about how to implement a robust cybersecurity posture. Indeed, nowadays, NIST has become a well-known standard for cybersecurity risk management and is utilized by corporations across the US and worldwide.
The CIS Controls are a "prescriptive, prioritized, and simplified set of best practices" that provide CISOs with clear recommendations for how to minimize the risk of experiencing cyber events. The CIS model is notably more action-oriented than NIST and specifies 18 controls, or areas, that are crucial to assess, monitor, and upgrade to achieve high-level cybersecurity resilience.
A few of these 18 fundamental controls include Inventory and Control of Enterprise Assets, Data Protection, Access Control Management, Account Management, and Security Awareness and Skills Training. Within each of these controls, organizations can be ranked according to their implementation group level: IG1, IG2, or IG3.
Each of the implementation groups has a set of safeguards or standards the company must adhere to in order to qualify. IG1 consists of 56 safeguards, which encompass initiatives that businesses must implement to be considered as having “basic” cyber hygiene. IG2 is achieved when the organization observes an additional 74 safeguards that are focused on helping cybersecurity teams handle greater complexities.
Finally, the highest level of cybersecurity in the CIS Controls, IG3, adds 23 more of these safeguards. This level is primarily for mature, large organizations with access to a large amount of confidential data and PII that would otherwise face a significant amount of risk without IG3 implementation. The CIS Controls are primarily adopted by European companies as a cybersecurity maturity model, although, like NIST, they are used worldwide.
Given the unique level of risk it faces as a government organization, the US Department of Defense (DoD) developed a cybersecurity maturity model known as the Cybersecurity Maturity Model Certification (CMMC) program. The Department's contractors and subcontractors, referred to as the Defense Industrial Base (DIB), must comply with this program to a certain extent, according to the type of information they are privy to.
The CMMC program originally included five possible levels for the DIB. However, the model was recently updated and now only has three compliance tiers, all of which are a detailed set of processes and practices respective organizations must adhere to in order to obtain their certificate. This newer model, CMMC 2.0, was proposed to reflect the evolving threat landscape and to ensure the DIB remains accountable to the DoD.
Although it's only legally mandatory for DIB companies to obtain this specific certification, the model still stands as a solid framework for other organizations wanting to adopt a cybersecurity maturity model for posture improvement. Indeed, the latest version of the CMMC directly aligns with NIST, with Level 2 of the CMMC 2.0 matching with NIST SP 800-171 and Level 3, with the additional NIST SP 800-172.
This first level of CMMC 2.0 is the foundational tier and consists of 15 requirements pertaining to basic cyber hygiene, basic safeguard requirements, and the ability to perform ad-hoc processes. The second level, Level 2, is more advanced, with a total of 110 necessary practices that are, of course, thoroughly documented. Organizations that meet the Level 3 requirements are considered "experts," implementing proactive practices and ongoing corrective actions and adapting quickly to the external risk environment.
Choosing a cybersecurity maturity model is ultimately contextual, and it comes down to which one is most applicable to your organization. However, once a model has been selected, the first step is to conduct a baseline assessment according to the model's parameters. This process involves reviewing the various tiers, safeguards, controls, and details of your chosen model and determining how well your cybersecurity posture meets those specific elements.
On top of illuminating how well your organization stacks up to the model, the baseline assessment also equips CISOs to pinpoint specific weaknesses and vulnerabilities in the infrastructure. These insights set the foundation for deciding which business areas are worth investing in. Armed with the information gleaned from baseline assessment, these decisions are then also more justifiable to key stakeholders, who understand the motivation for suggested resource allocation.
However, developing a subsequent action plan is not merely a matter of unearthing a business's specific vulnerabilities and fixing them. Nowadays, it's more likely than not that a cybersecurity maturity model assessment will illuminate a number of issues so great that it would be impossible to get everything up to standard. Indeed, a recent market study found that the average organization has roughly 11,000 security exposures that may be exploited.
Instead of attempting, and inevitably failing, to do everything, CISOs should instead adopt a Shift Up strategy, elevating these issues to the highest organizational levels to ensure that selected initiatives align with the company’s broader mission. When collaboration between the CISO and other C-suite executives ensues, cybersecurity is transformed into a direct business enabler rather than a resource drain.
The NIST CSF, CIS, and CMMC cybersecurity maturity models are the most widely used, but there are still plenty of others to choose from. CISOs should carefully consider the needs of the organization before making a final decision and beginning the baseline assessment. However, if one of these three models is, indeed, best for the business, here are a few resources to help you get started:
1. NIST Framework for Improving Critical Infrastructure Cybersecurity 1.1, here
2. Draft of the NIST Cybersecurity Framework 2.0, here
3. CIS Critical Security Controls Version 8, here
4. CIS Critical Security Controls Implementation Groups, here
5. Overview of the CMMC Program, here
6. CMMC Version 2.0, Overview Briefing, here
While cybersecurity maturity models provide a solid framework for organizations to evaluate their cybersecurity posture, understanding the risk reduction and ROI of subsequent upgrades is still extremely challenging for CISOs. Even if the team manages, for instance, to elevate a CIS security control from IG2 to IG3, it communicates very little in terms of precisely how much less likely they are to suffer from a specific cyber event.
This insufficiency necessitates cyber risk quantification (CRQ), an indispensable approach to assessing an organization's cybersecurity landscape that can account for its specific maturity model levels. With a CRQ solution like the one Kovrr offers, CISOs have direct access to forecasts of how much an upgrade would reduce their business's cyber risk, simultaneously decreasing its potential loss amounts due to a cyber event.The Average and High Effects of CIS Security Control Upgrades.
With these quantifications, CISOs can then calculate the financial ROI of specific initiatives and leverage this information during high-level discussions when executives are dolling out resources and discussing their broader business goals. Essentially, CRQ enables CISOs and other stakeholders to understand the tangible implications of their cybersecurity maturity model upgrades, ensuring that these efforts are not merely a compliance formality but a strategic investment.
Given the detailed, foundational approach cybersecurity maturity models offer CISOs, they are a natural starting point when building a plan to bolster the organization’s cyber defenses. However, for boardroom communication, these models say very little in terms of how the higher maturity levels, or tiers, offer the business greater protection against increasingly sophisticated cyber events.
This vagueness is precisely why it’s important to leverage a CRQ solution that can interpret cybersecurity model maturity in terms of threat likelihoods and financial impact. With these figures, CISOs develop data-driven cyber programs that align with executive goals, produce a positive ROI, and ensure the organization remains cyber resilient.
To find out how your cybersecurity model maturity translates into practical insights, schedule a free demo with Kovrr’s CRQ experts today.
February 15, 2024
Combining traditional cyber risk methods with CRQ turns ambiguity into actionable data for CISOs, driving informed decision-making.
February 12, 2024
Risk Progression feature empowers CISOs and CRQ users to inspect and understand the changes in their cyber risk over time.