Every CEO wants to know the same thing: "How secure are we?" It's a simple question with a complicated answer, unless you have a structured way to evaluate it.
That's where a cybersecurity maturity model comes in. Rather than giving you a binary "secure" or "not secure" verdict, a maturity model places your organization on a spectrum. It tells you where you are, where you need to be, and what it takes to get there.
This guide gives you a practical self-assessment framework you can use today. No consultants required for the first pass. Just honest answers and a willingness to act on what you find.
The Five Maturity Levels
Before you evaluate specific domains, understand the scale. Each level represents a fundamentally different posture.
1Initial / Ad Hoc
- No formal security program
- Security is reactive and inconsistent
- No documented policies or procedures
- Reliance on individual knowledge
2Developing
- Some policies exist but aren't consistently followed
- Basic controls are in place (antivirus, firewalls)
- Security responsibilities are informal
- Limited awareness training
3Defined
- Formal policies documented and communicated
- Security roles and responsibilities assigned
- Regular training and awareness programs
- Incident response plan exists and has been tested
4Managed
- Security metrics are tracked and reported
- Controls are regularly tested and validated
- Risk management is integrated into business decisions
- Third-party risk is actively managed
5Optimized
- Continuous improvement processes are embedded
- Threat intelligence informs proactive defense
- Security enables business innovation
- Industry-leading practices are the norm
Most small and mid-sized businesses operate at Level 1 or 2. The goal for most SMBs should be reaching Level 3 within 12-18 months, with selective advancement to Level 4 in critical areas.
Maturity isn't about buying more tools. It's about building the discipline to use the ones you have consistently and effectively.
The Six Assessment Domains
Your maturity assessment should cover six core domains. For each domain, rate your organization honestly on the 1-5 scale described above.
Domain 1: Governance and Leadership
This domain measures whether security has executive attention, formal accountability, and strategic alignment.
Rate yourself:
- Is there a named person accountable for cybersecurity (even if it's not their only role)?
- Does cybersecurity appear on the board or executive team agenda at least quarterly?
- Is there a documented security strategy aligned with business objectives?
- Is security budget reviewed and approved as part of the annual planning process?
Scoring guide:
Level 1: No one is formally responsible. Security is "IT's problem."
Level 3: A security leader is designated. Executive briefings happen quarterly. Budget is allocated.
Level 5: Security is a standing board agenda item. Strategy is reviewed annually. CISO reports to the CEO or COO.
A common mistake is confusing "we have an IT person" with "we have security governance." As KPMG has noted, one of the biggest mistakes an organization can make is regarding cybersecurity as something purely in the domain of the CIO. Your IT director may be great at keeping systems running, but if nobody at the executive level is asking about risk, you're at Level 1 regardless of how good your IT team is.
Domain 2: Access Control and Identity Management
This domain evaluates how you manage who can access what, and how you verify their identity.
Rate yourself:
- Is MFA required for all remote access, email, and critical applications?
- Do you follow the principle of least privilege (employees only have access they need)?
- Are access rights reviewed regularly and revoked promptly when roles change?
- Do you have a password policy, and is it enforced through technical controls?
Domain 3: Incident Detection and Response
This domain assesses your ability to detect security events and respond effectively when they occur.
Rate yourself:
- Do you have monitoring in place to detect suspicious activity?
- Is there a documented incident response plan?
- Has the plan been tested through a tabletop exercise or simulation in the last 12 months?
- Do you have relationships with external incident response resources (legal, forensics, PR)?
The Detection Gap
If you have no monitoring in place, you are at Level 1 in this domain regardless of what else you've done. You cannot respond to threats you cannot see. Many SMBs discover breaches only when customers, partners, or law enforcement notify them, weeks or months after the initial compromise.
Domain 4: Security Awareness and Training
This domain measures how well your people understand and practice security.
Rate yourself:
- Do all employees receive security awareness training at least annually?
- Do you conduct phishing simulations to test and reinforce training?
- Is training tailored to different roles (executives, finance, general staff)?
- Are employees recognized or rewarded for reporting security concerns?
Domain 5: Data Protection and Privacy
This domain evaluates how you handle, store, and protect sensitive information.
Rate yourself:
- Do you know where all your sensitive data resides (customer PII, financial data, IP)?
- Is sensitive data encrypted at rest and in transit?
- Do you have data retention policies that minimize what you store?
- Are you compliant with applicable privacy regulations (state laws, industry requirements)?
Domain 6: Vendor and Third-Party Risk Management
This domain assesses how you manage the security risks introduced by your vendors, partners, and service providers.
Rate yourself:
- Do you maintain an inventory of vendors who access your systems or data?
- Do you evaluate vendor security posture before onboarding?
- Are security requirements included in vendor contracts?
- Do you review vendor access and security practices at least annually?
Calculating Your Maturity Score
Rate each domain on the 1-5 scale. Be honest, this assessment is for your benefit, not for show.
Score Each Domain
Rate each of the six domains on the 1-5 scale. Use the scoring guides and be conservative in your assessment.
Calculate Your Average
Add your six domain scores and divide by six. This gives you an overall maturity score between 1.0 and 5.0.
Identify Your Gaps
Focus on the domains with the lowest scores. These represent your highest-risk areas and should be addressed first.
Interpreting Your Score
Average Score: 1.0 - 1.9 (Critical)
Your organization has minimal security controls and is highly vulnerable. Immediate action is needed. Start with the 90-Day Cybersecurity Sprint to address the most critical gaps.
Average Score: 2.0 - 2.9 (Developing)
You have some controls in place but significant gaps remain. Focus on formalizing policies, deploying essential controls, and establishing regular security practices.
Average Score: 3.0 - 3.9 (Solid Foundation)
You have a working security program. Focus on consistency, measurement, and advancing specific domains to Level 4. You're in a strong position to pursue formal compliance frameworks.
Average Score: 4.0 - 5.0 (Advanced)
Your security program is mature and well-integrated. Focus on continuous improvement, threat intelligence, and using security as a competitive differentiator.
Where Companies Consistently Misjudge Themselves
Research consistently shows that organizations overestimate their cybersecurity maturity. According to Bain & Company, most companies overestimate the effectiveness of their cybersecurity because they fail to grasp the complexity of the challenge. The same patterns come up over and over in self-assessments like this.
Governance gets inflated. CEOs rate themselves a 3 because they "care about security" and have talked about it in meetings. But caring and governing are different things. If there's no regular reporting structure, no dedicated budget line, and no named owner, you're at a 1 or 2 regardless of how many conversations you've had about it.
Access control gets a pass. Companies say "we use MFA" and give themselves a 3 or 4, but when you dig in, MFA is only on email. The VPN, the accounting system, the HR platform, the cloud storage -- all still password-only. And there are usually three or four shared admin accounts that multiple people use.
Incident response gets the benefit of the doubt. A company will say they have an incident response plan because someone wrote a document two years ago. But nobody knows where it is, it hasn't been tested, and the contact information is outdated. That's a 1, not a 3.
Vendor management is almost always the weakest domain, and most companies know it but don't want to confront it. They've never asked a single vendor about their security practices.
A Typical Scenario
Consider a hypothetical scenario that reflects a pattern common across professional services firms in the 100-200 employee range. The specifics vary, but the shape of the story is remarkably consistent.
The company's leadership assumes they are in decent shape. They have antivirus, a firewall, and an IT director who seems competent. When they actually score themselves honestly, the picture looks different:
| Domain | Score | What They Found | |--------|-------|-------------| | Governance | 2 | The IT director handled security as a side task; nobody at the executive level reviewed anything | | Access Control | 2 | MFA on email only; three shared admin accounts nobody wanted to touch because "they'd break things" | | Incident Response | 1 | No plan, no monitoring, no external relationships established | | Training | 2 | A stale annual compliance module that employees clicked through in 10 minutes | | Data Protection | 3 | Encryption was in place and data retention was documented, the one bright spot | | Vendor Management | 1 | Over 40 vendors with various levels of access, zero formal assessments |
Overall Score: 1.8
The score is often surprising. But it provides something actionable. By focusing the first 90 days on the three lowest-scoring domains, a company in this position can typically move the overall average to the 2.5-3.0 range within six months. Not perfect, but a fundamentally different risk posture. The hardest part is usually not the technical work -- it's getting the leadership team to accept that their gut feeling about security has been wrong.
Setting Your Target Maturity Level
Not every organization needs to reach Level 5. Your target should be based on:
- Industry requirements. Healthcare, financial services, and government contractors face stricter expectations.
- Client expectations. If your clients are enterprise companies, they'll increasingly require vendor security maturity.
- Risk tolerance. How much risk can your business absorb? The answer varies by size, industry, and business model.
- Budget reality. Higher maturity levels require more investment. Prioritize the domains where advancement has the greatest impact on risk reduction.
For most SMBs, the practical target is:
- Level 3 across all domains as a baseline
- Level 4 in high-risk domains (access control and incident response are usually the priorities)
- Level 5 selectively if your industry or client base demands it
The goal isn't to score a five in every category. It's to know where you stand, where you need to be, and how to close the gap.
Building Your Improvement Roadmap
Once you've assessed your maturity and set targets, build a roadmap that prioritizes high-impact, lower-effort improvements first.
Quick wins (1-3 months):
- Deploy MFA everywhere
- Eliminate shared accounts
- Create a basic incident response plan
- Start security awareness training
Medium-term initiatives (3-6 months):
- Implement monitoring and alerting
- Formalize policies and procedures
- Conduct first tabletop exercise
- Build vendor inventory and assessment process
Longer-term investments (6-12 months):
- Pursue compliance certifications if needed
- Implement advanced monitoring (SIEM or managed detection)
- Conduct penetration testing
- Integrate security into business planning processes
For a deeper dive into maturity assessment frameworks and actionable improvement strategies, see Cybersecurity for CEOs.