[ Originally published on Medium.com Jan 21, 2023. ]

Different sides of the same coin, or same sides of different coins?

Many organizations are assessing their cyber maturity, because they have to (i.e., answering to auditors, regulators) or because they want to. The de facto framework used for assessing cyber maturity is the NIST Cybersecurity Framework, or as it’s commonly known, CSF. The CSF core is made up of five functions that organize basic cybersecurity activities at their highest level. These functions are Identify, Protect, Detect, Respond, and Recover.

Various tools exist to conduct assessments against the CSF. And when all the numbers are aggregated to the core function level, the result is a set of measures for the Identify, Protect, Detect, Respond, and Recover functions. These functional-level measures capture the cybersecurity maturity of an organization, at the highest level. But does maturity translate to resilience against risk? Maybe.

Risk involves context: the context of the threat actor, the tactics and techniques used, the vulnerabilities, the target(s), and so on. And this is where our analogy comes in. The difference between cyber maturity and cyber risk resilience can be illustrated with the following analogy.

Say you have a home, and you have taken steps to protect your home from a break-in. You have sensors and deadbolts on all exterior doors and sensors on all your windows. Your “Protect and Detect score” is 90/100, say. And in any risk scenario that involves a burglar trying to gain entry via an exterior door or window, your Protect and Detect score would be, well, 90/100, more or less. Now, what about a burglar that tries to enter via your garage door. A little red-wire-to-green-wire on the access keypad, and poof, the automatic garage door opens. The door from the garage to the house is not locked and the burglar has access. Now what is your Protect and Detect score? In this context? It ain’t 90/100 that’s for sure! More like 20/100. And that’s the difference between cyber maturity and cyber risk resilience.

Risk is contextual, and because of that, one’s cybersecurity controls (and their effectiveness) must be contextualized when trying to understand risk resilience. Just because you are scoring well against a cybersecurity assessment framework, doesn’t necessarily imply commensurate protection against cyber risks. Assessments and degrees of maturity are only first steps—important one s— but the work doesn’t stop there. Consider your cybersecurity posture in the context of your expected risks. And become more risk resilient!