What methodologies or frameworks (like NIST CSF, CMMC, etc.) are you using to assess and track your cybersecurity maturity level?
Sort by:
Information Security Manager in Banking9 months ago
We are using DORA - DevOps Research and Assessment (custom version if I may say that). There is a capability called: Shift Left Security, based on all the experience from me and my colleagues I created custom questions and scenarios, based on our organization.
Finance Managera year ago
NIST 2.0 for baseline and subsequently CIS leveraging IG1, IG2 and IG3 for deeper dives into domains/areas.
Director of IT in Energy and Utilitiesa year ago
C2M2
Chief Information Officer in Miscellaneousa year ago
NIST CSF 2.0
Hello everyone! My response to this question isn't based the activities of the organization that I work for; rather, it is based upon the many organizations that I confer with as a Cybersecurity Evangelist.
In my experience, most organizations gravitate to two sets of standards: 1) ISO 27001/27002 or 2) NIST 800-171/172-based standards, such as CMMC. Over time, it is also anticipated the US Federal agencies beyond the US Department of Defense (DoD) will more widely adopt CMMC-like standards. There are also longer-term standards out there- like PCI-DSS- that are required for specific use-cases such as protection of credit card data.
Bigger-picture, it's in your best interest to select an achievable standard that's aligned with the ultimate cybersecurity goals of your company. Why is that? Because I have found that organizations that have adopted CMMC for their DoD business lines actually benefited from improved security protection in their "commercial" lines of business, as well.