Building Resilience and
Cybersecurity Capability Maturity

September 27, 2024

In an ever-changing threat landscape, the one constant is the drive for organizations to enhance the maturity of their cybersecurity capabilities. This ongoing journey has become a key focus for business leaders, guiding their investments in organizational security strategies. While perceptions of security maturity may differ, this blog explores how cybersecurity capability maturity levels and business outcomes are closely connected. We outline how understanding the maturity levels across their respective industries can help businesses enhance their security posture and achieve resilient outcomes.

Why Capability Maturity Matters to the Business

Cybersecurity capability maturity refers to the degree to which an organization’s security processes are defined, managed, measured and optimized. The Capability Maturity Model Integration (CMMI) scale helps classify maturity levels from “Level 1: Initial” (where processes are ad hoc or the least mature) to “Level 5: Optimizing” (where processes are robust and are continuously improved).

Capability maturity is typically assessed using established frameworks and standards like the NIST Cybersecurity Framework (CSF), NIST SP 800-53, Center for Internet Security (CIS) Controls, ISO/IEC 27001 and other industry benchmarks. These standards provide organizations with a structured approach to assess and improve their security processes across various security domains. Adopting these frameworks is critical, as they offer a consistent foundation for measuring security performance, ensuring alignment with leading practices and enabling comparison across industries. The graphic below highlights cybersecurity maturity levels across different industries for the years 2022 and 2023, offering insights into how sectors are progressing in their security maturation efforts.

Decoding the Cybersecurity Capability Maturity Landscape Across Industries

Image

Our findings indicate that from January 2023 to June 2024, organizations across industries have increasingly focused on enhancing their cybersecurity capability maturity to build resilience against sophisticated threats and ensure regulatory compliance. To collect data, we leveraged a combination of surveys and in-depth interviews with cybersecurity experts and practitioners, as well as an analysis of our product sales data from at least 3,000 organizations. Interviews included over 300 security leaders and executives to provide further context about cybersecurity practices and the challenges their organizations face. Results were analyzed using a mix of qualitative and quantitative techniques, ensuring a comprehensive view of industry-wide trends.

Organizations are moving beyond basic cybersecurity measures like two-factor authentication (2FA), antivirus solutions and firewalls. They are increasingly investing in more advanced, proactive security practices. This shift is driven by the increasing complexity of cyber threats and regulatory requirements, as well as the need to protect sensitive data and critical infrastructure.

We see this trend aligns with findings from the 2024 Cybersecurity Threat and Risk Management Report produced by the Ponemon Institute and sponsored by Optiv. The report indicates that more resources are being allocated to assess the effectiveness of cybersecurity processes and governance practices. Examining 2024 cybersecurity investment priorities, the report reveals that 60% of respondents plan to conduct internal assessments of their security processes and governance, 58% are increasing resources for identity and access management (IAM), 51% are investing in additional cybersecurity tools and 49% are focused on hiring more skilled security staff. This proactive approach reflects the industry's commitment to not only meeting compliance standards, but also staying ahead of emerging threats.

The financial industry is leading the charge in cybersecurity capability maturity, with an average maturity score of 2.5 and a top quartile score of 3.3 out of 5. A score of 3.0 is considered a solid benchmark of "good" maturity across industries, indicating that organizations have implemented effective, proactive security measures. The organizations across this industry have made significant investments in areas like identity and access management (IAM), security governance and incident response capabilities. Growing maturity across organizations in the financial industry is also driven by increasingly stringent regulatory requirements and the critical nature of the data handled by these organizations, which is a prime target for financially motivated threat actors.

The healthcare industry has also shown significant improvement in overall cybersecurity maturity, driven by increased spending on data privacy controls with a heightened focus on protecting sensitive patient data. Healthcare organizations are known for being expansive in their geographical reach and service coverage. From a security perspective, what stands out is the fact that one centralized organization often deploys thousands of workstations, endpoint and medical IoT devices and remote services while managing high volumes of sensitive patient data. Compromising the integrity of that data or the availability of essential records, systems and networks providing life-saving services could have disastrous results. With healthcare institutions often being a ransomware target, SOC audits and rapid detection capabilities are becoming more of an industry necessity.

In contrast, industries like industrials and consumers continue to struggle with budget constraints and competing priorities, making it difficult to fully prioritize cybersecurity maturity. The organizations within these industries continue to face challenges such as increased reliance on third-party partners and the complexity of extensive supply chains. Operational technology (OT) and manufacturing systems, which are critical to these industries, are particularly difficult to test and upgrade without disrupting production. Furthermore, according to Optiv and Ponemon’s 2024 Cybersecurity Threat and Risk Management Report, only 30% of respondents indicated that assessment of the security of the supply chain was a metric used to report on their organization's cybersecurity risk management program. This highlights a significant gap in risk visibility and management within these sectors.

Image

As organizations strive to enhance their cybersecurity maturity, the following areas have emerged as key differentiators between industry leaders and those still in the process of advancing their capabilities:

Identity and Access Management (IAM): Ensuring that only authorized individuals have access to sensitive systems and data is a critical aspect of cybersecurity. Organizations are increasingly investing in IAM solutions to strengthen their access controls and reduce the risk of insider threats. In fact, according to Optiv and Ponemon’s 2024 Cybersecurity Threat and Risk Management Report, 58% of respondents indicated that they plan to increase resources allocated to their IAM programs in 2024. This underscores the growing importance of robust access management in securing organizational assets.

Incident Response (IR): The ability to quickly detect, respond to and recover from cyber incidents is a crucial driver of cybersecurity maturity. Strong IR capabilities demonstrate an organization’s preparedness and resilience in the face of evolving threats. Organizations are not only investing in detection and response technologies like endpoint detection and response (EDR) and managed detection and response (MDR), but they are also refining their incident response processes and conducting regular training to ensure swift and effective action when incidents occur.

Security Automation, Orchestration and Response (SOAR): Automation is playing a growing role in cybersecurity, as organizations are seeking to streamline their security operations and respond more quickly to threats. SOAR platforms enhance efficiency by automating routine tasks, allowing security teams to focus on more complex challenges while reducing operational strain. 

What’s Next: The Future of Cybersecurity Maturity

As we look to the future, the concept of continuous improvement will become central to cybersecurity maturity. Organizations will need to regularly assess and update their security processes to keep pace with evolving threats. The adoption of frameworks like the NIST Cybersecurity Framework (CSF) 2.0 and the Center for Internet Security (CIS) Controls v8.1 will become more widespread, providing organizations with clearer guidance on improving their security posture.

We expect greater cross-industry collaboration in cybersecurity with the sharing of leading practices and threat intelligence across industries, which will help organizations address shared challenges and enhance their collective security. For more details on the prioritized governance and risk management practices across industries, please read Optiv and Ponemon’s 2024 Cybersecurity Threat and Risk Management report.