What most of these models have in common, is that they have a maturity model attached to them. If they don’t, then they definitely require you to use a maturity model of your own choice. Maturity models are simple scales (e.g. from 0 to 3) that allow you to put a number on the level of maturity you have in a specific area. If you are merely responsive, your level is 0. If you have everything under control and have a great process for continuous improvement, you can reach level 3.
A very general model, the Capability Maturity Model Integration or CMMI was developed by the US government to correctly gauge the maturity level of suppliers in system development. It is perfectly usable for cybersecurity. Some governance models, such as NIST CSF have their own maturity levels (they call them ‘tiers’, from 1 to 4).
The maturity levels allow you to assess where you stand today, the ‘AS IS’ situation, or Current Level.
You as a board can come in when it’s time to strategically define the security level where you wish to be, based on your own risk appetite, competitive pressures, or a benchmark of your market. This is the ‘TO BE’ or Target Level.
The gap between current en target levels is what you want to close. Your security experts (internal or external) will create a roadmap specifying how to reach your target, by when and what budget is required.
That all sounds very technical. It can be… but the reporting doesn’t have to be. This is where the spiderweb chart comes in!
The chart allows for a great overview of the current and target levels. A yearly review allows for updates to the model which, when put next to each other, easily show the progress made in cybersecurity maturity over time.
