27 November 2017

Introducing our NIST Cyber Maturity Assessment Service

The two most common cyber security questions we hear are:

  1. Where should we focus our resources; and
  2. How do we compare to others?

To answer these questions the majority or companies rely on some form of gap assessment and recent survey data. In most cases the answers to these questions form the basis of strategic decision making however, we have found the data used to answer the questions varies greatly.

Well, we wanted to change that.

Introducing our NIST Cyber Maturity Assessment

We have developed maturity assessment service for one purpose, to give those charged with cyber defence a place were they can get genuine real time data on cyber maturity. Data that can be used to drive strategic investment and ultimately lift our collective cyber security posture.

Our maturity assessment is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST Framework was designed to help and protect US critical infrastructure from cyber attack and is considered by most to be the gold standard.

The Framework is based around five core Functions. These Functions have been  designed to form an operational culture that addresses the dynamic cybersecurity risk.

nist functions

To measure your cyber maturity against the NIST functions we have used The Capability Maturity Model (CMM). This model is based around five maturity levels that ranging from Initial to Optimised.

We have also designed a process whereby each current assessment on the platform is used to develop industry and national maturity averages. By doing this, we give all users a real time benchmarks of cyber maturity.

The assessment process

Each NIST Function is broken down into Categories. For each Category you will be asked to choose the description which best fits your current environment and where you would like to be.

Once you finalise your scores and produce the report, that set of responses will be timestamped to enable you to go back at any time and access that report.

We have developed a dashboard for each user so they can quickly access their previous reports along with the applicable industry and national averages.

Reports

For each completed assessment the service gives you access to interactive reports by NIST Function and by NIST Category that allows you to interrogate the various data points. In addition to this, we have designed a downloadable transparent image file report so you can easily insert your assessment into  presentations and reports. The downloadable reports come in three different forms, by Function, by Category and for those looking to demonstrate a lift in maturity, a Comparison to your previous current state. Each report, both interactive and image file display the applicable industry and national averages for you organisation.

By Function:

A bar chart showing an example organisation's NIST maturity, broken down by function, compared against its desired state, the Australian national average and the information technology industry's average.

By Category:

A bar chart showing an example organisation's NIST maturity, broken down by category, compared against its desired state, the Australian national average and the information technology industry's average.

Comparison:

A bar chart showing an example organisation's NIST maturity, broken down by category, compared against its previous state, the Australian national average and the information technology industry's average.

Our ask

We have developed and given away this assessment for free to support the community. We ask two things in return:

  1. That you use the service as it is intended. The industry and national averages are made up everyone’s results and therefore the more accurate your responses are, the better the benchmark data will become.
  2. Help us improve the service. We would love to hear your thoughts on how this could become better.

We sincerely hope that over time this will become a resource that the community can rely upon and it will be used to lift our collective security posture.

Our commitment

The data you enter into this site is yours and unless specifically requested or there is a potential breach of our Terms of Service, elevenM will not access or review your data. In addition, other than to calculate industry or national averages, elevenM will not use your data for any purpose.

Our offer

We understand that some of you will require to have your maturity assessment independently validated in order to present it to senior stakeholders. If you need, we are happy to work with you and complete the assessment on your behalf. To do this, we would interview your team and review artefacts which support your current state position. We will then enter the results onto the site and provide you access to the reports along with a cover letter verifying that the assessment has been completed by elevenM. For this, we would charge you a simple daily rate for our time.

Important points to note

  • You can access the site via the tools option in the menu bar.
  • To access the site you will need a valid corporate e-mail address. We need this to make sure that you work for the company that you are creating an assessment for. (you will be asked to respond to a validation link) .
  • As you would expect we take security seriously, as such we also ask for your mobile phone number. This will be used by our two factor authentication process.
  • The industry and national averages start when there is two or more assessments completed in your country or industry. Until that time, no average data will appear.
  • As noted above, the averages are based upon the current assessments on the platform. Once an assessment is archived by beginning a new assessment, the archived data will no longer be used to create averages.
  • The option to print comparison reports will only become available upon completion of your second assessment.