THE Maturity Scale

Our point of view is simple.  We believe that alignment with government organizations provides material benefit to public and private entities.  We have aligned our maturity scale with CMMC definitions and allow for granular maturity scoring.  We believe that whole number, custom scales, simplified controls, and polar questions do not provide the information needed to effectively establish your risk baseline.



Process management includes deliberate process optimization/improvement.  Optimizing the certainty of outcomes, reduction of risk, and added value across the organization.  Continuous improvement methods have been established and are fully integrated into the management system.



The process is quantitatively managed in accordance with agreed-upon metrics.  Optimizing the certainty of outcomes, reduction of risk, and added value across the organization.  Continuous improvement methods are being developed but not included in the formal  management system.



The process is defined/confirmed as a standard business process.   Processes provide established feedback mechanism to allow for improvement over time. Focus on consistency in operations across the organization.  Metrics are utilized ad hoc by management.



The process is at least documented sufficiently such that repeating the same steps may be attempted.  Supporting documentation exists but not exercised.  Processes are planned, performed, and measured. Focus is on driving process execution and adjustments to meet business needs across the organization.



(Chaotic, ad hoc, individual heroics) — the starting point for use of a new or undocumented repeat process.  Work may or may not be completed. When completed it is often delayed with unpredictable outcomes. Processes are ad-hoc and not documented although they may be performed. There is limited or no operational visibility into functional process across the organization.



No solution exists, or is planned for implementation.  A solution for addressing the control has not been, and will not be, implemented in support of the control.  This is generally associated with the acceptance of risk or controls that are not applicable to an organization.




The level has been validated as effective over time across the organization.  Planning for next level of maturity has started.  Evidence exists and can be provided over time showing compliance.



Measurement and analysis of level performance is accurate and driving process maturity decisions.  The control has been implemented ubiquitously within the organization.



The resources needed to implement the planned activities have been allocated and applied in accordance to plan.  These may include items such as budget, skills, time, and leadership support.



Management and necessary stakeholders have committed and approved the implementation of the planned activities, but lack some element of the required resources to be capable of implementing a solution.



Maturity improvement plans are designed and documented in line with organizational requirements for formal project approval.


“Yes and No” questions, referred to as “Polar Questions” provide a more definitive level of response which some CISO’s prefer to Ordinal responses.  At V3 we believe that Polar Responses do not capture the level of maturity of a particular control.  We understand that people naturally prefer the simplicity of binary responses, but we believe that in cybersecurity, binary responses lead to a false sense of security.  Consider the example below.


Are technical controls in place to segregate networks?


Answering “Yes” or “No” does not provide the necessary insight to provide a response aligned with the intent of the control. We must understand the level of maturity associated with the control to have an understanding of the effectiveness of the control.


Lets assume that we want to answer yes because we have firewalls that separate our network segments. What is the policy being enforced by the technical controls was to allow all traffic to traverse the device? We could technically answer “Yes” to the question, but clearly the intent of the control has not been met and could misrepresent the organizational posture.


Whole number scales are used by many organizations to measure organizational maturity. It can provide a simple means of evaluation and faster implementation. At V3 we believe that whole number scales do not provide the needed granularity to measure and manage your cyber risk journey. Having the ability to effectively communicate your risk posture is critical to our ability to remain credible with our stakeholders.  The all or nothing approach that is employed by whole number scales dilutes the visibility and can misrepresents organizational risk.



An organization has implemented MFA on all  administrative staff members but has not documented the solution as required to satisfy the next level of maturity.  Do we score them with a Level 1 since there is no documentation?  Level 1 does not accurately represent the implementation of MFA; however, without the documentation needed to satisfy Level 2 requirements, you are left misrepresented and communication with management may misrepresent the true risk profile of the organization.    


Get started

If you want to get a free consultation without any obligations, fill in the form below and we'll get in touch with you.