Cyber maturity is a difficult term. What makes you mature in terms of your cyber defense? Is it a case of how you view security and risk? Is it the types of cyber solution you use? Or is it what state of evolution your security stack is in?
This discussion is arguably made harder when you compare organizations that are of different levels of ‘maturity’ themselves. The maturity of a business might not necessarily translate into its cyber maturity. For example, start-ups may not have been defending themselves against cyber attack for very long, but they’re not plagued with the legacy infrastructure that larger organizations might be.
Conversely though, bigger cyber budgets will naturally allow for more defense in depth, with multiple layers, rather than a streamlined investment plan that could be easier to breach.
There is no doubt that the term ‘maturity’ can be viewed differently in different contexts and what is deemed as ‘mature’ in the cyber world will also be both debatable and changeable as the environment and scope for defense evolves too.
One of the challenges many organizations have faced is the number of standards and frameworks that exist in cyber security. Do they attempt to meet them all? Go above and beyond them all? Or focus in on a few? Given what is deemed ‘enough’ in terms of cyber is constantly changing, can these static guidelines really give security assurance and when do they become outdated?
This is where the Cyber Maturity Model Certification will come in useful. Although currently only in formative stages it aims to become a single certification that builds in the requirements of many other pieces of government and legislative advice around cyber defense. In doing so, it will also encourage organizations to progress their level of ‘maturity’ as they prepare ahead of the certification.
The 5 CMMC certification levels you should be preparing for now
Level 1 – focuses on basic cyber hygiene, implementing practices that establish a foundation for higher levels of the model. Level 1 must be completed by all certified organizations.
Level 2 – moves on to intermediate cyber hygiene. At this level, the organization is expected to establish and document standard procedures, policies, and strategic plans to guide the implementation of successful cyber security procedures.
Level 3 – focuses on the demonstration of good cyber hygiene and the basic ability to protect and sustain assets and CUI. Organizations at this level are expected to adequately resource and review their activities’ adherence to policies and procedures and should be able to demonstrate the management of practice implement implementation.
Level 4 and 5 – expect the organization to have achieved a substantial and proactive cyber security program, with the capability to adapt activities in response to changing tactics and procedures. At this level, the business should review activities for effectiveness and optimize cyber security processes across the entire organization.
The CMMC could be a true turning point for many businesses as they are able to measure and improve their cyber posture, while getting a real handle on how ‘mature’ their security approach is. While no amount of defense can be foolproof, demonstrating that every opportunity to improve the security posture of an organization has been taken, will achieve huge strides in cyber maturity and consequently cyber defense.