Cyber Maturity Overview (Beta)

Welcome to Cyber Maturity

Cyber Maturity is the first step any organization can take to start their cybersecurity journey, especially if your organization does not have much cybersecurity experience. It helps set the foundation of cybersecurity by introducing basic concepts and measuring your organization’s current cybersecurity posture. By understanding where your organization stands, we can give recommendations on the risks you are taking today and how to mitigate the most important ones. We can also use this information to empower you and your team to make the right decision on where and how much to invest in cybersecurity projects based on your individual organization.

 

Note that this feature is currently in Beta, which means it is a work in progress. We are still refining how it works. If something is confusing, broken, or if you have suggestions on how to improve it, please don't hesitate to reach out and let us know. 

 

Key Terms

Security Area

There are three foundational pillars, or Security Areas, of cybersecurity: People, Process and Technology. These are the three areas every organization should consider when setting up a security program, and every one of the 19 Elements is categorized into one of these areas.

Elements

The 19 Cyber Maturity Elements cover the key aspects of cybersecurity for small and medium sized organizations. These are based off the NIST Cybersecurity Framework, and each fall into one of the three Security Areas. The assessment will ask about your organization’s approach to each of these with a corresponding question.

Maturity Levels

Maturity Levels are a measure of your organization’s cybersecurity posture for a particular Element. There are six answers to each of the Element questions, and your Element Level is assigned based on which answer you pick for the question. Level 0 means a missing or inconsistent implementation for the Element and level 5 means a very mature implementation of the Element. The higher the Level, the more mature an organization is in that Security Element.

Level 0 "Inconsistent Implementation" - Security processes are lacking. In a cyber incident, it's unlikely the organization can respond effectively.

Level 1 "Ad Hoc Implementation" - Security processes are managed in a purely reactive manner.

Level 2 "Baseline Security Program" - Basic proactive planning has been done. If you have more complex needs, this may not be sufficient.

Level 3 "Formal Security Program" - Security program is complete, but may not account for every scenario. Testing and continuous improvement could be optimized.

Level 4 "Mature Security Program" - Security program is risk-driven and produces some metrics which are used to guide business decisions and security program improvements.

Level 5 "Optimized Security Program" - Security program is fully risk-driven, featuring quantitatively-managed improvement with continuous feedback as well as being a key stakeholder in all business decisions.

Leveling Up

The goal of the Cyber Maturity Assessment and report is to give your organization the resources to improve its cybersecurity posture. We measure this using Cyber Maturity Levels. When your team takes action on an Element and has reached the criteria for a higher level, your organization has leveled-up.

Overall Maturity Level

Your organization's overall Cyber Maturity Level is the same as your lowest level Element. For example, if your organization had all 4s, except “Identity and Access Management” scored a 2, then your Overall Maturity Level would be 2. This may seem a bit harsh at first, but this is because your overall security is only as good as your weakest link. Spend time improving your lowest individual element levels to improve your Overall Maturity Level.

 

How the Assessment Works

You will first answer a series of questions about how your organization handles cybersecurity related topics. Based on your answers to those questions, you will receive a report that summarizes your organization’s Cyber Maturity stance. The report also includes details about how to improve for each of the cybersecurity elements and specific steps your organization can take starting today. Once your organization has taken action, you can edit your answers to the Assessment to record your increased Cyber Maturity Level. Your updated Report would reflect the improved cybersecurity posture and any further recommended steps would be available after that (if there are any that make sense).

 

Getting Started

Once you sign into Cyber Safety, navigate to Cyber Maturity by either clicking through the navigation bar on the left hand side or on the Cyber Maturity progress card on top of the Dashboard. If you have not finished the Assessment, you may receive a pop-up after you sign in that will take you there as well.

 

The Cyber Maturity Assessment

The Assessment consists of 19 questions across a range of cybersecurity topics that are important in keeping any organization safe, and these span the three Security Areas: People, Process and Technology. Work through the questions with your team and try to be as honest as you can. A Cyber Maturity Report will be generated based on your answers to the Assessment. So the more accurate your answers are to your organization, the better we can understand your organization and be able to help you improve and protect the right things.

 

There is no right or wrong answer to each question. Every organization requires a different level of maturity for each Element based on various factors including size, industry, and many others.  The answers to these questions will not affect your insurance terms, and we do not share your responses unless you want to take action and invest in a specific cybersecurity project.

 

If you come across a question you don’t know how to answer, you can skip the question. The question will be marked unanswered so you or a teammate can revisit it later. Additionally you can schedule a  call with Cyber Concierge, an in-house cybersecurity expert (included with your Cyber Safety subscription). The Concierge can help you understand the question and figure out which answer is the most appropriate based on your organization.

 

See the article Taking the Cyber Maturity Assessment for details.

 

The Cyber Maturity Report

The result of your Cyber Maturity Assessment is a Report that summarizes your organization’s cybersecurity overall posture. The goal of the Report is not to grade or assess your organization, rather to give a realistic point-in-time understanding of your organization’s top risks for improvement. Each of your answers is associated with a maturity level for that question element, and you will see your current level with context on your current risk, suggestions for improvements and immediate next steps you can take. Based on the individual Element Levels, an Overall Level is also assigned to your organization.

 

The result of the Cyber Maturity Report should give you the information to start taking action on improving your cyber posture. Many improvements don’t cost a lot of additional capital to take action on or can be done with tools you may already have and use today. Other times, a larger investment in a dedicated cybersecurity improvement project may make sense, especially if your organization is larger in size or in a regulated space.

 

If you have any questions about the report, the recommended actions or how to prioritize between several action items, you can also schedule a call with Cyber Concierge. Our in-house cybersecurity expert can help you find the best way forward based on your organization’s report, any unique circumstances and your budget. See the article Understanding the Cyber Maturity Report for additional details

Have more questions? Submit a request