23 February 2023

Is it time to move on from cyber maturity assessments?

Peter Quigley

elevenM Principal Peter Quigley proposes a move away from cyber maturity to a threat-based approach to cyber risk management.

Last week, my colleague Iain Lindsay-German MBE described how adopting a military threat-based approach could help organisations manage cyber security risks. In this post, I’ll describe the way many organisations currently approach cyber risk management and how this practice needs to evolve to meet future challenges.

It may surprise some readers, but many organisations with well-established cyber security programs do not build their cyber programs around specific threats. Instead, the shape and direction of their cyber security program is determined by the pursuit of a particular maturity rating.

Cyber frameworks such as NIST CSF and the ACSC’s Essential Eight are highly respected and well known to every cyber security professional. Increasingly, we find they also have strong name recognition with senior executives and board directors (even those less familiar with cyber security). This makes them a persuasive choice for CISOs to anchor an executive conversation around.

Frameworks like NIST CSF can also lend themselves to deriving a single maturity score for your entire cyber program (typically on a scale of 1-5), which for senior executives can be attractive as it offers a single easy-to-consume number to understand what is otherwise a complex domain. (It should be noted at this point that NIST itself have previously said that the CSF should not be used a maturity model, but in practice we know this is how it’s often used).

The drawback with this maturity-driven approach is that maturity does not equate to protection. While it’s true that establishing capabilities (under NIST CSF or another framework) provides a strong baseline for cyber risk management, the existence and maturity of a set of capabilities does not in and of itself indicate protection against the specific threats an organisation faces.

In comparison, a threat-based approach involves more clearly identifying the threat actors (or attackers) targeting your organisation, industry and location, assessing their motives and objectives, and building an understanding of the tactics, techniques and procedures they are using to achieve those objectives. With this knowledge, organisations can then build the specific controls necessary to manage those threats to an acceptable level.

So, no more NIST CSF?

For good reason, NIST CSF is a well-respected framework and elevenM supports many clients to use the CSF to guide the development of foundational capabilities. The point here – as also observed by analysts like Gartner – is that once organisations have established those baseline capabilities and reached maturity levels of around 3-3.5, the ongoing value of “maturity” as a guide for prioritisation and future investments deteriorates. As my colleague Iain might say, it doesn’t help organisations see what’s coming at them.

At this point, having established an effective baseline, we recommend organisations begin incorporating a threat-based approach. At elevenM, we help clients identify their top threats based on relevant threat intelligence at a global, local and industry level. We then use a scoring system to help them select and prioritise the controls they will need to mitigate those specific threats. This approach, coupled with an assurance program to rigorously test controls and capabilities, can deliver organisations true confidence about their ability to protect their systems and data from the threats they face.

In summary, here are four benefits we feel that a threat-based approach has over a cyber maturity score:

  1. The cyber team is able to build the specific controls needed to defend against the threats they face
  2. The cyber program can dynamically adapt to changes in the threat landscape
  3. Investment requests are articulated through a risk-based rationale
  4. Governance conversations become focused on what matters most to the organisation and executive – cyber resilience.

If you would like to know more about maturity versus threat-based approaches or assurance methodologies, reach us at hello@elevenm.com.au.