Jason Christopher

Jason is CTO at Axio Global, Inc., a cyber risk optimization firm, where he merges risk management services with enabling technology.

To truly be effective, a cybersecurity program must continually evolve and improve. The problem is, many organizations don’t have a clear sense of where they are today and how to improve for tomorrow. As Peter Drucker, the father of management, is often quoted as saying, “If you can’t measure it, you can’t improve it.”

In an effort to validate and measure their efforts, many cybersecurity organizations count the number of vulnerabilities they’ve closed in a given time period or report compliance with regulatory or industry standards. However, none of these approaches gives a true indication of your organization’s maturity, nor do they provide a framework for improvement. To measure and improve, cybersecurity organizations need to adopt a cybersecurity maturity model.

What Is A Cybersecurity Maturity Model?

A cybersecurity maturity model provides a framework for measuring the maturity of a security program and guidance on how to reach the next level. For example, it will tell you whether your approach to a particular domain can best be described as a crawl, walk or run, as well as how fast you’re going and what you need to do to progress from one stage to another in a more sophisticated manner.

There are several cybersecurity maturity models from which to choose. From my perspective, the National Institute of Standards and Technology cybersecurity framework (NIST CSF) and the cybersecurity capability maturity model (C2M2) both provide a comprehensive approach that covers everything in cybersecurity. Which model you choose is not nearly as important as actually choosing one and using it.


The C2M2 was developed by the U.S. Department of Energy for use by power and utility companies. However, any organization can use it to measure the maturity of their cybersecurity capabilities. The model consists of 10 domains and provides a measurement for each one, allowing organizations to identify areas of weakness and strength. Those domains are the following: risk management; asset, change and configuration management; identity and access management; threat and vulnerability management; situational awareness; information sharing and communications; event and incident response, continuity of operations; supply chain and external dependencies management; workforce management and cybersecurity program management.

The NIST CSF differs from the C2M2, as NIST doesn’t consider the CSF a maturity model. Instead of 10 domains, the NIST CSF represents five cybersecurity functions: identify, protect, detect, respond and recover. However, it does denote a progression expressed as “tiers.” According to NIST, “These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed.” In other words, the tiers are an indication of your maturity level. It’s also worth noting that one of the CSF’s parent documents is the C2M2.

Measuring Your Maturity

Some may object to the fact that both the NIST CSF and the C2M2 are self-assessments. You measure your organization in the various domains covered to determine your level of maturity. Therefore, these frameworks are subjective. While this is a valid criticism, a self-assessment still provides a means of measurement, and that’s better than no measurement at all.

It’s also worth noting that measuring your maturity is just the beginning (Remember the second half of the Drucker quote?). There will be next steps, including improving your measurements and metrics. There’s a difference between saying we can run in this area versus we can run an eight-minute mile. Whichever framework you choose, your organization should build a program around it that will have meaning to you.

Most importantly, a cybersecurity maturity model provides a path forward and enables your organization to periodically assess where they are along that path. This can be a valuable tool not only for improving your cybersecurity efforts but also for communicating with upper management and getting the support you need.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Jason is CTO at Axio Global, Inc., a cyber risk optimization firm, where he merges risk management services with enabling technology.