What Is a Cyber Security Maturity Model?

cybersecurity issues cyber attacks cyber security cryptojacking cyber training engineering courses on cyber


A cyber security maturity model provides a path forward and enables your organization to periodically assess where it is along that path. This can be a valuable tool for improving your cyber security efforts, as well as for communicating with upper management and getting necessary support.

According to a recent article in Forbes, the cyber security capability maturity model (C2M2) and National Institute of Standards and Technology cyber security framework (NIST CSF) are just two of several models to choose from, each providing a comprehensive approach that covers everything in cyber security.

Although the C2M2 was developed by the United States Department of Energy for use by power and utility companies, any organization can use it to measure the maturity of their cyber security capabilities. This model consists of the following 10 domains, providing a measurement for each one to help organizations identify areas of weakness and strength.

  • Risk management
  • Asset, change and configuration management
  • Identity and access management
  • Threat and vulnerability management
  • Situational awareness
  • Information sharing and communications
  • Event and incident response
  • Continuity of operations
  • Supply chain and external dependencies management
  • Workforce management and cyber security program management.

NIST doesn’t consider the CSF a maturity model, although one of its parent documents is the C2M2. Instead of 10 domains, the NIST CSF represents five cyber security functions:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The CSF denotes a progression expressed as “tiers” that reflect a progression from informal, reactive responses to approaches that are agile and risk-informed — essentially indicating maturity level.

Both the C2M2 and the NIST CSF are self-assessments, which draws some criticism, since the frameworks are subjective. However, measuring your level of maturity via self-assessment is better than gathering no measurement at all.

Once a level of maturity has been determined, the next steps include improving measurements and metrics. Whichever framework you choose — the C2M2, NIST CSF or another — your organization should build a meaningful program around it.

Trusted Cyber Security Training from IEEE

IEEE offers an 11-course cyber security training program designed to help businesses improve security challenges. Cyber Security Tools for Today’s Environment is intended for professionals in IT, computer science and related fields who are looking to enhance their cyber security knowledge and stay current.

Additionally, Hacking Your Company: Ethical Solutions to Defeat Cyber Attacks, an eight-course program, provides cutting-edge information to help engineers detect system vulnerabilities before an attack.


Christopher, Jason. (1 Nov 2018). The Cybersecurity Maturity Model: A Means To Measure And Improve Your Cybersecurity Program. Forbes.


No comments yet.

Leave a Reply