Crossbow Labs

Crossbow Labs Logo

Establishing Cyber Resilience As A Business Essential – Part 3


Part 3 : Measuring Cyber Resilience

Going back to our quote by Peter Drucker – ‘You Can’t Measure It, You Can’t Improve It’ from Part 1, for assurance on operational effectiveness (read Part 2 for understanding our 5 Step Approach to Implementing Cyber Resilient Resources), for identification of improvement opportunities and for realignment with business objectives – measurement scheme is an integral and essential part of the a cyber resilience program.

What is Maturity Indictor levels (MIL):

Maturity Indicator level (MIL) is used to provide organizations with an approximation of the maturity of their cyber resilience program across the Practice when countered with various cybersecurity threats.

Using Maturity Indictor levels (MIL):

Defining MILs to assess the capability and adaptability of the resilience requires prudence and due diligence. Some pointers to help get started with defining effective MILs

  1. Select a suitable model for Maturity Measure.
  2. In consultation with the Management determine the target MIL based on the business objectives for each practice.
  3. Conduct a current MIL assessment .
  4. Create a roadmap and project plan to reach the target MIL.
  5. Set up implementation plan and action tracker in line with the roadmap.
  6. Validate the project plan at every milestone.
  7. Enforce a process of continuous assessment and remediation to sustain the target MIL.

Implement a Cyber Resilience Review (CRR) framework

The next logical step would be to define progressive scales of Maturity levels using Maturity Indictor levels (MIL)

  1. Incomplete (MIL0) – Projects / business functions that are not being measured for responses to the relevant business objectives
  2. Performed (MIL1) – All practices that support the goals in a domain are being performed as measured by responses to the checklist questions but may not have formally documented and approved policy and procedures ( or such document is inadequate to the business objectives.
  3. Planned- MIL2 – All specific business functions in the CRR domain are not only performed but are also supported by relevant stakeholders and relevant standards / guidelines. A planned process or practice would be on that is,
    • established by the organization through policy and a documented plan
    • supported by stakeholders
    • supported by relevant standards and guidelines
  4. Manage (MIL3) – All business functions in the CRR domain are performed, planned, and have basic governance infrastructure in place to support the process. A managed process or practice one which is
    • governed by the organization
    • appropriately staffed with qualified people
    • adequately funded
    • managed for risk
  5. Measure (MIL4) – All business functions in the CRR domain are performed, planned, managed, monitored, and controlled. A measured process or practice one which is
    • periodically evaluated for effectiveness
    • objectively evaluated against its practice description and plan
    • periodically reviewed with higher level management
  6. Defined (MIL5) – All business functions in the CRR domain are performed, planned, managed, measured, and consistent across all constituencies within the organization as well as for who have a vested interest in the performance of the practice. At MIL5, a process or practice is
    • defined by the organization and tailored by individual operating units within the organization for their use
    • supported by improvement information that is collected by and shared among operating units for the overall benefit of the organization

NOTE: Maturity indicator levels used in this document are derived from methodologies developed by

  • Cyber Resilience Evaluation Method and the CERT® Resilience Management Model (CERT-RMM), both developed at Carnegie Mellon University’s Software Engineering Institute.
  • CISA (Cybersecurity and Infrastructure Security Agency) a part of US- DHS

A maturity model-based measurement system shows how capable an entity’s cyber resilience program is towards achieving its business objectives. It also provides an insight to the effort an organisation is taking towards continuous improvement and achieving realistic Return of Investment (ROI) made towards building a cyber resilient environment.