Cybersecurity for business sprawls across systems, people, and processes, making it difficult to know how well you’re protecting your organisation. ASIC’s Cyber Pulse Survey 2023 reports that Australian-regulated organisations have an average cybersecurity maturity score of just 1.66 out of a scale from 0-3 But what does that mean? How can you find out your organisation’s cybersecurity maturity level? And what level should it be?

The Essential Eight Maturity Model

An initiative of the Australian Signals Directorate and the Australian Cyber Security Centre, the Essential Eight is designed to help Australian organisations stay cyber secure. The guidance provides various strategies across different areas of focus, that build in complexity at each maturity level, from level 0 to level 3.

For an overall ACSC primer, take a look at our ACSC Essential 8 blog.

Maturity models benchmark your organisation

Maturity models are a great way to see how your organisation compares to the rest of the playing field and to find new goals and KPIs to strive towards. Standardised maturity model frameworks provide checklists to achieve different levels of business sophistication. Popular models include:

• The Capability Maturity Model
• ISO/IEC 33001:2015 (Process Assessment Framework)
• The MITRE AI Maturity Model

The levels system of maturity models

The levels of maturity that these maturity models provide are staggered so that organisations can grow to excel in the given field. The levels are usually rising in number, with descriptions like “Ad-hoc” through to “Optimising”. Achieving a certain level means achieving all the requirements at that level. Organisations self-assess their maturity.

Note: In some cases, you may choose not to tick off all boxes at a certain level, and only strive to achieve what applies to your business at a higher level. 

In the Essential Eight, the levels are:

• Level 0: Weaknesses exist that may easily be exploited
• Level 1: Malicious actors may use typical tools to exploit the business in widespread attacks
• Level 2: Malicious actors with selective and targeted attacks using typical tools may be able to exploit the business
• Level 3: Malicious actors using sustained and customised strategies may be able to exploit the business

For most organisations, a Level 2 baseline is an excellent aiming point.

Certification of maturity level

Self-assessment of your organisation’s maturity level against a maturity model is usually “enough” to satisfy stakeholders and key decision-makers. However, some models offer official level-based certification, either through the model’s publisher or independent third parties. 

While the Essential Eight doesn’t offer official certification per se, some organisations may have mandates for third-party Essential Eight assessments, because of government, industry, or contractor policies. RIGA specialises in helping organisations assess their Essential Eight compliance. By getting an external assessor to verify your maturity level, you can proudly and confidently state it to clients, investors, and the public.

Benchmarking maturity

While the Essential Eight is only “essential” for Australian federal government departments, state and local gov and businesses of all shapes and sizes are now seeing the benefits of following this standardised model.

By benchmarking cybersecurity across the business using the Essential Eight, you know where you’re at – and where you’d like to be. Using the strategies outlined for the next maturity level, your organisation can become more secure with an easy-to-follow guide. Because the Essential Eight is updated regularly and is maintained by the Australian government, you’re assured of the model’s quality.

Gain a greater cyber awareness

Of course, there is more to strengthening your organisation’s cybersecurity program than just following the Essential Eight. Organisations can also join the Australian Signals Directorate’s Business Partnership program to be signed up for the ASD’s ACSC Alert Service, and receive the monthly cyber newsletter, targeted guidance and invitations to relevant events.

If you’d like a helping hand for self-assessment of the Essential Eight, rolling out the strategies contained within, or would like an external assessment of your E8 maturity, then make sure to get in contact with us today.