A Framework to Determine your Cyber Security Maturity
Is Your Vulnerability Management Program Mature?
While corporations are advancing to meet the ever expanding cyber threat, there is uncertainty whether they are actually prepared.
It’s Not All Bad.
They can point to improvements in automated tools and key hires and some success in catching vulnerabilities.
What the Enterprise DOES Know?
They DO know that major Cyber Security incidents are happening on a daily basis just by reading the front page of the news.
And they do know that they are not prepared to avoid being the next front page news
The Problem
The ever expanding and dynamic attack surface across the full stack produces blind spots.
And automated detection tools produce an abundance of noise (false positives) that murk the waters even further.
Blind Spots
The Global 3000 Enterprise simply does not know what it does not know.
And Companies are Simply Not Ready
“More than half of businesses are not prepared for Cyber Attacks” (Cyber Trendscape Report 2020)
So We Developed a Maturity Framework
Based on Eight Evaluation Criteria, we developed a model that places each company into five categories:
- Lagard (1) – 15%
- Formative (2) – 20%
- Traditional (3) – 50%
- Progressive (4) – 10%
- Mature (5) – 5%
Your Vulnerability Management Maturity
Let’s discuss your maturity level with the following framework.
Vulnerability Management Maturity Model Criteria
| Evaluation Criteria | Question | Lagard | Formative | Traditional | Progressive | Mature |
|---|---|---|---|---|---|---|
| Management | Who is the most senior cyber security executive? | Nobody | An IT Manager | A team Lead/Senior Manager | A VP/Director | CISO Implicit throughout organization. |
| Staffing | What is your current cyber security staffing makeup? | None | 1 Cyber Security Professional | 1-4 Cyber Security Professionals | 5-8 Cyber Security Professionals | 9+ Cyber Security Professionals |
| Goals | What is the primary goal of your current cyber security program? | Non-Existent | Ad-Hoc | Assessment & Compliance | Attack Management | Business Risk Management |
| Intelligence | How comprehensive is your intelligence view? | No intelligence/business context | No full stack coverage | No full stack vulnerability view | Risk Based View | Validated vulnerability intelligence & business context |
| Processes | How proactive and automated are your cyber security processes? | Ad-hoc Patching/mitigation No process | Haphazard mitigation/patching Ad-hoc assessment | Compliance Driven Infrequent process cadence | Scheduled & on-demand Proactive Patching | Scheduled, Continuous & On-demand Assessments |
| Resilience | How prepared are you to react to a cyber event? | Unknown | Unprepared | Recovery Capabilities | Detection and Protection Capabilities | Adaptive strategies & mature actionable intelligence available. |
| Operational Workflow | How do you put your cyber security intelligence into actual operational remediation? | None | Manual | Some automated integration | Full Automated | Fully automated integrated with expert remediation guidance |
| Tools / Capability | What are your current VM tools capabilities? |
|
|
|
|
|
* Based on a sample size of 789 global 3000s.
Human Touch
“Human Expertise is the Key To Effective Cybersecurity Automation”
“Getting real value and effective cybersecurity from these tools require a human touch” (Tom Gorup, Security Boulevard