CISOs often discuss the measurement of cyber security current state and development over time. Fraktal has assisted numerous clients in utilizing the Kybermittari (eng. Cybermeter) tool for this purpose. Developed by Finland’s National Cyber Security Centre (NCSC-FI), the tool is based on the international NIST Cybersecurity Framework and Cybersecurity Capability Maturity Model (C2M2).
The primary benefit of the tool is that it renders cyber security quantifiable. It provides our clients with an understanding of which best practice processes and other controls they have already implemented, and which have yet to be established. The tool is comprehensive, technology agnostic, consultant agnostic, systematic, easy to repeat, available in multiple languages, and based on recognized international cyber security frameworks.
Obtaining a maturity score gives the organization insight into their current security status, although typically receiving a score is not the primary objective. The maturity scores and other results from the tool can be used to achieve various objectives, such as:
- ascertaining the state of cyber security, for example at the start of a strategy season and using the score as a baseline to track improvements over time.
- identifying the organization’s current cyber security strengths and weaknesses and using the knowledge to map out areas for improvement and a feasible plan to enhance them.
- monitoring the development of cyber security over a longer period of time by conducting the assessment annually or bi-annually.
- establishing targets for improvement within a certain period of time (e.g. wanting to reach the next maturity level in a certain domain).
- understanding the variation in maturity of cyber security practices in different organizational units within the organization.
- validating the attainment of previously set targets.
Conducting cyber security maturity measurement
Organizations interested in utilizing the Cybermeter tool for the purpose of conducting a cyber security maturity measurement have the option of doing so independently. However, many of our clients have chosen to enlist our services in order to facilitate the process. This is due to the fact that having an experienced Cybermeter facilitator present can be highly beneficial, as they are able to explain the meaning of the practices and give example implementations, as well as ensure that different organizational units taking part in the process use the tool in the same fashion.
Importance of reporting
The outcome of the maturity measurement is articulated in a comprehensive report, which allows the organization to view the state of cyber security from various angles, such as the incorporation of the NIST Cyber Security Framework core report, which divides cyber security activities into five main categories, as well as the reporting along the eleven Cybermeter domains, which provides a more granular look at different domains of cyber security and highlights potential areas for development.
In addition, our facilitators are able to provide insights from the interviews conducted, which are then included in the report. Furthermore, the organization may choose to share their maturity results with Finland’s National Cyber Security Centre (NCSC-FI) and receive reference data.
Towards a roadmap
The results of the maturity measurement and the tool’s different reports and recommendations can serve as a basis for a security roadmap. The organization can use the measurable numeric values obtained to set improvement goals for the next measuring period, and we recommend re-measuring after a certain period of time to ensure the process improvements are moving in the right direction.
Technologies and methods
Cybermeter tool was used for the assignment. Cybermeter (Kybermittari) is a cyber security maturity measurement and development tool that has been developed by Finland’s National Cyber Security Centre (NCSC-FI). Kybermittari is based on the international NIST Cybersecurity Framework and Cybersecurity Capability Maturity Model (C2M2).
Further information on Kybermittari on http://www.kybermittari.fi.