Our point of view is simple. We believe that alignment with government organizations provides material benefit to public and private entities. We have aligned our maturity scale with CMMC definitions and allow for granular maturity scoring. We believe that whole number, custom scales, simplified controls, and polar questions do not provide the information needed to effectively establish your risk baseline.
“Yes and No” questions, referred to as “Polar Questions” provide a more definitive level of response which some CISO’s prefer to Ordinal responses. At V3 we believe that Polar Responses do not capture the level of maturity of a particular control. We understand that people naturally prefer the simplicity of binary responses, but we believe that in cybersecurity, binary responses lead to a false sense of security. Consider the example below.
Are technical controls in place to segregate networks?
Answering “Yes” or “No” does not provide the necessary insight to provide a response aligned with the intent of the control. We must understand the level of maturity associated with the control to have an understanding of the effectiveness of the control.
Lets assume that we want to answer yes because we have firewalls that separate our network segments. What is the policy being enforced by the technical controls was to allow all traffic to traverse the device? We could technically answer “Yes” to the question, but clearly the intent of the control has not been met and could misrepresent the organizational posture.
Whole number scales are used by many organizations to measure organizational maturity. It can provide a simple means of evaluation and faster implementation. At V3 we believe that whole number scales do not provide the needed granularity to measure and manage your cyber risk journey. Having the ability to effectively communicate your risk posture is critical to our ability to remain credible with our stakeholders. The all or nothing approach that is employed by whole number scales dilutes the visibility and can misrepresents organizational risk.
An organization has implemented MFA on all administrative staff members but has not documented the solution as required to satisfy the next level of maturity. Do we score them with a Level 1 since there is no documentation? Level 1 does not accurately represent the implementation of MFA; however, without the documentation needed to satisfy Level 2 requirements, you are left misrepresented and communication with management may misrepresent the true risk profile of the organization.