Maturity Questions are a mechanism to capture and analyze an organization's cybersecurity sophistication. Maturity is captured at the group level to help gauge a company's ability to sustain positive cyber practices and improve them over time. Companies with low maturity may implement effective security controls, but it is likely to be unsustainable and not backed by institutional planning and standardization. Companies with higher maturity would be effective at implementing good security controls.
Large discrepancies between a company's maturity scores and effectiveness/coverage scores may be red flags.
Understanding the Scales
The scales within the gauges are defined as the following:
- 0-1: Ad-hoc: Organization's capability to manage their controls follows an isolated, inconsistent, manual model
- 1-2: Defined: Organization's capability to manage their controls follows an initially assigned, basic process with supporting technologies
- 2-3: Managed: Organization's capability to manage their controls follows a professional approach with integrated processes and semi-autonomous technologies
- 3-4: Optimized: Organization's capability to manage their controls includes a specialized approach, with measurable processes and semi-autonomous technologies
- 4-5: Adaptive: Organization's capability to manage their process includes specialized and interdisciplinary approach with autonomous, agile and intelligent processes and technologies
The maturity calculations are cascading averages from the raw answers all the way up to the assessment level.
- People maturity has 3 subcategories: Role, Experience and Training. The “people maturity” score is the average of those three.
- Technology maturity has 2 subcategories: Data and tools. The “technology maturity” is the average of those two.
- Process maturity has 2 subcategories: Policies and procedures. The “process maturity” is the average of those two.
The maturity for a group is the average of the People, Process, and Technology maturities above. The overall assessment maturity is the average of the 5 group maturities.
Maturity Scores vs. Control Effectiveness Scores
In addition to direct capability questions, the CyberGRX control questionnaire also has specific questions related to control maturity. These questions however relate to the effectiveness of a controls and are focused on:
- Strength of the controls: Granularity of the controls implemented (i.e., the implemented capabilities and functionality of the control)
- Timeliness of the control: When is the control effectiveness reviewed – schedule of event update and event driven (i.e. The Frequency (Cycle time or speed) of control implementation)
- Coverage of the control: Which processes, people, technologies or departments or functions have implemented this control (i.e., the breadth of the control deployment or capabilities)
This section relates to control effectiveness and should be used for benchmarking requirements if any.
Most maturity models use a combination of the above (i.e., Capability and Control effectiveness). The challenge is that the score might get influenced if the company hires an experienced resource or provides training to employees, but does not make any changes to the control being implemented. For example, a company may have implemented a SIEM solution and may have experienced, trained and certified resources, but they have not implemented the right use cases (strength) and the solution is not ingesting logs from various data sources (Coverage), which means while they have the capability, ultimately the company's implementation of that control is not effective.
It is because this CyberGRX has these two different scores. Maturity relates to Capability of Managing and Maintaining a control, while Control Effectiveness relates directly to how a control is implemented.