Table of Contents
Introduction
Are you a CISO or Information Security Manager looking for a framework that both helps identify controls to be implemented and provides guidance on what good looks like across all major cyber security domains?
You may find a cyber security capability maturity model (CMM) especially helpful.
The Challenge
A controls framework such as ISO27001, PCI DSS, CIS18, NIST, etc. are all useful but they are generally producing for specific purposes or are quite rigid in their application. This often means that cyber leaders are restricted in how they can use them in day-to-day operations.
A Capability Maturity Model (CMM) approach can be a great way of re-introducing some flexibility and creating a useful controls framework that can act as the backbone of controls selection, design, and implementation for your organisation.
What is a Cyber Capability Maturity Model?
A capability maturity model is not unique to cyber security, they are used across all disciplines and industries. However, for cyber security they can be especially powerful.
A Cyber Capability Maturity Model (CMM) is a strategic tool used to assess and improve an organisation’s cybersecurity capabilities. It provides a structured framework that helps you to do two main things;
- Current state assessment: evaluate your current cybersecurity posture across various domains, such as risk management, threat detection, incident response, cyber governance, Security Operations, etc. The model typically defines different levels of maturity, ranging from basic or reactive capabilities to more advanced, proactive, and optimised states.
- Target state assessment: usually adopting a threat assessment as the basis, helping to define what good looks like (target state maturity) across all cyber domains and control areas.
By using the CCMM, you can identify gaps in your cybersecurity practices, benchmark performance against industry standards, evidence compliance and develop a roadmap for continuous improvement. The goal of the CCMM is to help organisations build more robust and resilient cybersecurity systems that align with their overall business objectives, thereby reducing risk and enhancing their ability to defend against cyber threats.
Why Use a Cyber Capability Maturity Model?
✅ Evidence Compliance: with a Cyber CMM, you can map in multiple control frameworks meaning you can report on different industry standards from one single current state assessment.
✅ Simplified Reporting: as a cyber leader you’ll likely have internal stakeholders such as internal audit, and external stakeholders asking for evidence of cyber security compliance and resilience. There is no need to develop multiple reports or approaches for keeping these different stakeholder groups updated, use a single cohesive approach and save time.
✅ Strategic KPI and Measurement: in the cyber security world, it can be difficult to strategically measure progress and evidence to your executive and the board how your organisation’s maturity is progressing over time. With a cyber capability maturity model this is much easier.
✅ Controls Framework: because you can align multiple controls frameworks such as ISO27001, NIST, CIS18 Critical Controls, PCI DSS, etc. into your capability model, it acts as the most robust approach to defining a controls framework that is available to us.
✅ Flexibility: you’re not limited by the singular nature of individual controls frameworks such as ISO27001 and can also map in industry best practice not necessarily captured in controls frameworks. This can build up a really rich picture of what the target state for different levels of maturity can look like across different industries and sectors.
How a Cyber Capability Maturity Model Works
Typically, there are 9 steps to designing and implementing a cyber capability framework;
- Design the Model: use a template such as the one we provide here as the basis for your model. This cannot be used straight out of the box, as all maturity models need to be tailored to fit your organisation.
- Tailor the Model (Sector): not all sectors have the same level of maturity – finance and banking is much further ahead than say the Higher Education / University sector, for example. It would not be accurate to measure Universities against the same benchmark that we apply to banks. As such, the model must be tailored for the specific sector upon which it is to be applied.
- Tailor the Model (Organisation): no two CMM’s should be the same. Your organisation will operate in a completely unique manner to your peers/competitors and the CMM needs to accommodate this. Some questions to answer to help tailor the model to your organisation:
- Does your organisation have any specific compliance requirements such as PCI DSS, PECR, NIS2, CAF, etc. If so, you’ll need to map in the best practice or associated controls frameworks.
- Are there some business operations which should be de-scoped altogether? i.e. do you fully outsource software development or is your IT infrastructure entirely in the cloud without any on-premise networking?
- What are the strategic priorities for your organisation? If you are a software house, you may want more detailed assessment into software, SecOps, DevSecOps related capabilities.
- Threat Assessment: perform a cyber threat assessment to understand the key threat scenarios that your organisation faces.
- Target State Assessment: based off the threat assessment, map the threats to cyber capabilities identifying those capabilities which would best protect the organisation from those specific threats. This defines the desired future state for all cyber capabilities across the model.
- Baseline Assessment: perform a current state assessment to baseline your current state maturity across all cyber capabilities.
- Cyber Roadmap: define a cyber roadmap designed to transition your organisation from your current state maturity to target state. This will articulate the ‘journey’ you need to go on to close the gap.
- Repeatable Assessments: produce the artefacts required to periodically re-assess your current state assessment, thus measuring there strategic progress your organisation is making based on new controls implemented and projects completed.
- Metrics and Reporting: produce a reporting pack and associated KPIs/metrics that can be produced quickly for varieties of stakeholder groups.
Benefits of Implementing a Cyber CMM
- Strategic Alignment: ensures cyber security control implementation is focused not only around the greatest cyber threats facing the organisation, but also that they are meeting the strategic objectives for the company.
- Improved Risk Management: by having a single source of truth in terms of controls implementation, risk management strategies and objectives are met faster and with less effort.
- Increased Resilience: an organisation who is able to focus on building capabilities in a maturity view with inevitably become more resilient in a shorter amount of time as resources (people/time/funds) are applied to the areas that not only need it the most but also those that garner the highest return on investment.
- Demonstrate Compliance: use multiple industry standards or regulations to evidence your cyber security posture and compliance.
- Executive Clarity: senior management, especially boards, are very familiar with maturity models and as such, when it is done well it can help improve executive buy-in and better communicate progress against strategic objectives.
- Faster Reporting: cyber capability maturity models have a unique ability to simplify reporting. Whether it is for a Head of Internal Audit, a Non-Executive Director or an external Venture Capitalist firm, the maturity reporting can be comprehensive enough to satisfy all these stakeholder groups, saving you time creating bespoke views for each interested party.
What Next?
Please download the resource today (completely free and no email needed) – any questions please get in touch with us.