# Opener

Outrunning the Bear

Published by Jason Christopher

A Cybersecurity Assessment Boards Actually Care About

Boards and executives are becoming increasingly involved in cybersecurity planning and strategy discussions. This is a marked improvement over the last decade, much of which is due to media-catching headlines and public incidents. But those headlines are a double-edged sword. Now executives not only want to know how their organization is doing with regards to cybersecurity, but also how they compare to their peers.

In my recent Forbes piece, I discuss the usefulness of maturity models and specifically discuss the use of the Cybersecurity Capability Maturity Model (C2M2) and the NIST Cybersecurity Framework (CSF). Both of these bodies of work contain guidance for new and existing programs while also providing a self-assessment methodology for evaluating your organization’s cybersecurity practices. As the former technical lead for the C2M2 and the federal energy sector lead for the CSF, I have been able to see both programs evolve across industry, but they always lead to the same question by executives—“But how do we benchmark across industry?”

The Power of Benchmarking

There’s no mystery as to why this question comes up—cybersecurity is full of acronyms, terms of art, and is deeply technical. It may not always be obvious what steps to take next. And while maturity models inherently describe how to “crawl, walk, and run,” some organizations may rightfully ask, “do we really need to run right now, or is walking fine for our cybersecurity program?” Well, as the old adage goes, when fleeing from a bear at a picnic, you do not need to be faster than the bear—just the person next to you. Some executives, whether right or wrong, may just want to know if the person next to them is running faster.

At Axio, we believe maturity models have a vital place in program management. But we also understand the power of benchmarking and data analytics. That’s why our Axio360 platform leverages both. Not only can you evaluate your program using either the C2M2 or CSF, but you can also provide valuable benchmarking analytics to board and executives. Combined with the other elements of 360, including cyber risk quantification and insurance analysis, your security program will be equipped with meaningful metrics. We’ve seen clients use our platform to promote budget justifications, hiring additional resources, and getting further executive buy-in on important security and financial controls.

At the end of the day, executives want to know the right thing is being done. Maturity models, and data analytics, can provide that peace of mind. Read more about the C2M2 and CSF and see how these self-assessments can help your program.