Maturity vs risk: choosing the right cybersecurity model for your business

Cyber threats are a major concern to organisations across Australia and New Zealand, and with good reason.
Last year, the Australian Cyber Security Centre (ACSC) recorded a cyberattack every eight minutes.

More and more senior executives understand that cybersecurity is a business problem, not just an IT one – and that sophisticated programs are required to manage cyber risks. There are two primary models that serve as the foundation for measuring the effectiveness of any cybersecurity program:

1. Maturity-based models, in which organisations aim to build standardised capabilities and controls across the board, with best practices within their sector serving as a benchmark.
2. Risk-based models, in which the goal is to assess specific risks and their potential commercial impact, with the focus on vulnerabilities unique to the organisation.

What do these approaches mean in practice, and which will suit your organisation better? Let’s dig a little deeper.

What a maturity-based model means in practice

In this approach, organisations benchmark themselves against a number of maturity standards. These standards could be mandated by regulatory bodies, or could simply be typical for other organisations in the same sector. To move up a level, companies are assessed on their uptake of specific measures such as:

1. Implementing multi-factor authentication (MFA) across their networks
2. conducting regular awareness training
3. ensuring software patches are installed within a standard timeframe
4. identifying gaps with a vulnerability scans or penetration tests
5. making regular backups and adopting standard protocols around testing, coordination and permissions
6. building a security operations centre (SOC) to improve threat assessment, monitoring and response

Maturity can be built up by degrees as outlined by various models. Typical models include government-run frameworks such as Australia’s Windows-focused Essential Eight or New Zealand’s Capability model, or industry-specific programs. Other possible frameworks include the ACSC’s Information Security Manual, or the US government’s NIST framework.

Having a clear set of requirements and benchmarks have obvious advantages. Progressing through a program’s milestones is a widely recognised and straightforward way to demonstrate the state of your cybersecurity to executives and third parties. It offers a step-by-step approach that can grow with your organisation and can help your organisation meet mandatory compliance requirements. But maturity-based models have their limitations.

Some maturity models are losing their shine

The biggest single drawback to following a maturity-based model? It will hit your bottom line. Since these models encourage organisations to monitor and defend against every type of threat, they often result in inefficient spending.

Your focus can become restricted to checking off requirements, rather than the practical management of real risks. Maturity-based programs can also increase controls and monitoring to an overwhelming degree. Monitoring across the board means you will likely be throwing overworked analysts at areas where no significant threat exists. The implementation of controls can be another major point of congestion, with implementation teams spread across so many projects that initiatives may remain incomplete for months.

How risk-based models can help decision-making

Maturity models rely on industry best practices, and on a standard framework that anticipates typical threats. By contrast, risk-based approaches use mathematical modelling to assess the impact of external threats and your organisation’s ability to manage them. While simple programs may offer a basic “traffic light” analysis, more sophisticated risk quantification puts detailed cash values on incidents and their repercussions. They offer a more ‘tangible’ view on cyber risk, specific to your organisation and environment.

Even basic risk-based models can help you prioritise the allocation of your cybersecurity budget. For example, if your assessment reveals that your end-users are the biggest cyber risk to your organisation, you might allocate budget for comprehensive phishing training and simulations, as well as tightening permissions and BYO device policies, while minimising spend elsewhere. By contrast, in a maturity-based model, a CISO might simply see basic awareness training as just another item on a laundry list of cybersecurity measures. They might decide to spread budgets evenly across that list and think “boxes ticked”.

Choosing between maturity and risk-based approaches

Risk-based models have been gaining traction in recent years for good reason. Many risk-based frameworks have matured and grown more sophisticated, making it possible to measure specific risks and their impact more accurately than ever. Increased automation is making monitoring easier, while models such as Factor Analysis of Information Risk (FAIR) are developing year on year.

So are risk-based models are better than maturity-based ones? The answer to that is: ‘it’s complicated’. For starters, some maturity models (particularly in the public sector) are mandatory. They simply don’t allow much room for optimising spend.

Risk-based frameworks also have their drawbacks. Any model that relies on risk assessment is only as good as its inputs. The GIGO rule – garbage in, garbage out – still applies. Then there is the complexity of interpreting and communicating the outputs.

Companies without the resources or the cross-department support to adopt a comprehensive program might prefer the clear signposts and standard measures of a maturity model. Larger organisations, particularly those undertaking large-scale, transformative cybersecurity programs, may prefer a maturity program that offers clear targets that can immediately guide delivery.

Your cybersecurity goals should dictate the model

As we’ve seen, there’s no one-size-fits-all answer to the maturity vs risk conundrum. Risk-based programs can offer real strategic advantages but won’t be right for every organisation.

It’s also worth noting that applying a primarily risk-based approach doesn't necessarily exclude a maturity model, and vice versa. Risk assessments can help organisations prioritise the steps to “level up” their maturity program, while maturity models can provide a base on which risk-based programs can be built.

Whichever model you choose, good implementation, a supportive cybersecurity culture, and the right mindset are crucial. Any cyber program should have clear goals, be communicated effectively, and be re-evaluated regularly. Cyber threats won’t stop evolving: neither should your cybersecurity.