Does anyone have a cybersecurity capability model that they have developed and would be willing to share? I am not looking at a capability maturity model, rather a model to show what capabilities should be present in a modern cybersecurity organization. 

I can share with you something I have built, a synthesized shortened version of what I have built:

1. Governance and Risk Management
• Policy Development and Management: Establishing and maintaining security policies.
• Risk Assessment and Management: Identifying, assessing, and mitigating risks.
• Compliance Management: Ensuring adherence to relevant laws, regulations, and standards.
2. Threat Intelligence and Management
• Threat Intelligence: Gathering and analyzing threat data.
• Incident Response: Detecting, responding to, and recovering from security incidents.
• Vulnerability Management: Identifying and addressing vulnerabilities in systems and applications.
3. Identity and Access Management (IAM)
• User Authentication and Authorization: Ensuring only authorized users have access to resources.
• Privileged Access Management: Controlling and monitoring access to critical systems.
• Identity Lifecycle Management: Managing the creation, maintenance, and deletion of user identities.
4. Security Operations
• Security Monitoring and Analytics: Continuous monitoring of systems for security events.
• Security Information and Event Management (SIEM): Aggregating and analyzing security data.
• Endpoint Detection and Response (EDR): Monitoring and responding to threats on endpoints.
5. Data Protection
• Data Encryption: Protecting data at rest and in transit.
• Data Loss Prevention (DLP): Preventing unauthorized data exfiltration.
• Backup and Recovery: Ensuring data can be restored in case of loss or corruption.
6. Application Security
• Secure Software Development: Integrating security into the software development lifecycle.
• Application Testing: Conducting security testing on applications.
• Patch Management: Keeping software up to date with security patches.
7. Network Security
• Firewall Management: Configuring and managing firewalls.
• Intrusion Detection and Prevention Systems (IDPS): Detecting and preventing network-based attacks.
• Network Segmentation: Dividing the network into segments to limit the spread of attacks.
8. Physical Security
• Access Control: Controlling physical access to facilities.
• Surveillance: Monitoring physical premises.
• Environmental Controls: Protecting against environmental threats (e.g., fire, flood).
9. Security Awareness and Training
• Employee Training: Educating employees on security best practices.
• Phishing Simulations: Conducting simulated phishing attacks to raise awareness.
• Security Culture: Promoting a culture of security within the organization.
10. Third-Party Risk Management
• Vendor Risk Assessment: Evaluating the security posture of third-party vendors.
• Contractual Security Requirements: Ensuring contracts include necessary security clauses.
• Ongoing Monitoring: Continuously monitoring third-party security practices.

I would recommend taking a look at the CIS Top 18 they have a series of controls which can be maturity assessed and scored against which can build a current picture, then you could extend it to show target maturity, keep history of yearly scores and then if you're brave add risks in to show where the greatest threats are for your org. It can all be done in Excel no need for fancy tools :)