Cybersecurity Maturity Assessments are everywhere. No regulations require them. Judges have no idea what they are. Have you read the NIST Cyber Security Framework? It never mentions Maturity Assessments. Not once.
So, if maturity assessments are not expected, why do cybersecurity consultancies push them?
Because they are easy and profitable.
Let’s face it, Maturity Assessments are multiple-choice surveys that any college graduate can conduct. Response scores of ‘1’ through ‘5’ can be averaged to “2.7” and – voila! – the Maturity Assessment is done. Think about how much you pay for them, and you’ll understand the math. These assessments are very profitable.
To add value, the consultants will tell you that your peers are at ‘3.2’ or ‘3.4’ maturity, so that’s the goal. A good question for your consultant would be how it’s possible all their clients have such low risk scores.
The cold, hard truth is that ‘3.2’ is just over the half-way mark on a scale of ‘1’ to ‘5’. Consultants want you to get the impression they are telling you to get better than average and not to stick your neck out.
Many of these consultants have grown up with these Maturity Assessments and are now board members, and they are asking for the same assessments they used to produce in their earning years. It is comfortable and it is useless.
Cybersecurity should be reasonable. That’s what the law says. HALOCK can help get you to reasonable and the most defensible security program available. Request assistance now.
HALOCK Risk Management services
Regulations tell you to examine your controls and to fix the controls that are not effective. That’s actually what a maturity score of ‘4’ means. So, these consultants are not doing you any favors. They are profitable … but are you any better off? Are you able to make informed decisions from Maturity Assessments?
Perhaps the only decision that can be made from a maturity heat map is to walk away. No joke. The boards and executive management are going to be held responsible for their decisions, especially in face of a large incident. The FTC, SEC and State Regulators are leading the charge and are well-informed of the differences between a proper Risk Assessment and one that meets duty of care. Maturity Assessments appear to benefit the consulting firms performing them while leaving their clients in a quandary.
SEC Proposed Rules for Risk Management
Regulations and standards require risk assessments. They require us to think ahead about the likelihood of harm we can cause ourselves and others and to be sure that our controls reasonably protect others … that the burden of a safeguard is not greater than the risk it prevents. This can be accomplished through Duty of Care Risk Analysis (DoCRA). The DoCRA standard has been around since 2018 and we are now seeing state regulators codify DoCRA principles in their settlement and consent orders post breach.
Does your risk management program meet the DoCRA standard?
Download the DoCRA Checklist.
Learn more from the people who made risk assessments reasonable.
About Duty of Care Risk Analysis (DoCRA)