1.0 Introduction
The Tripod Cybersecurity maturity model is conceived as an easy-to-use and concise measurement framework for national, organisation and enterprise cybersecurity maturity levels. As it is said in management parlance, “if you cannot measure it, you cannot improve it”, hence the need to measure cybersecurity maturity progress for continuous improvement.
It is based on the tripod of People, Process and Technology framework which are the basic strategic framework for ICT integration into any organisation strategic business objective for optimal results; be it for public or private sector concerns and for that matter, a nation state.
The TCMM is thus composed of three (3) Pillars, eighteen (18) factors and more than hundred (100) indicators.
The TCMM was developed to foster a culture of cybersecurity awareness, readiness and engagement in the concerned entity for a more matured posture against cyber-threats, attacks and infiltrations in view of the global digital transformation agenda focused on digitization and digitalization. It is positioned as an enabler of the achievement of the globally agreed development goals such as the Sustainable Development Goals (SDGs) and the African Digital Transformation Strategy.
Based on my studies, it is the first cybersecurity maturity model in the global South.
2.0 TCMM Computation
The method for the computation of the Tripod (People Process Technology) Cybersecurity Maturity Model (T(PPT)CMM) is based on a balanced scoring for the three pillars irrespective of the factors and indicators involved.
All data associated with the computation must be available online on the concerned entity's website/s for third (3rd ) party verification. While some information may be confidential, there must be information on the entity’s website indicating the presence of the required document and process. It is expected that the available information/document would be devoid of sensitive data which should have been redacted. Such data may be contained in a self-assessment documentation that addresses all the pillar variables with relevant references. Where it is possible for a third-party on-site verification, this should be well documented, and evidence should be published on the entity’s website.
The objective of the exercise is to provide feedback that reflects on the state of the enterprise or country's cybersecurity maturity. The closer the result is to 1 the stronger the cybersecurity maturity of the enterprise or country. The result may be for internal consumption for cybersecurity maturity improvement and for pairwise comparison with industry peers or in the case of a country with other countries.
3.0 The Tripod Cybersecurity Maturity Model levels
The Tripod Cybersecurity Maturity Model can be classified into five (5) levels. The level are:
1. The Foundation level - between 0 and 0.2
2. The Growth level - from 0.21 to 0.4
3. The Improved level - from 0.41 to 0.6
4. The Maturing level - from 0.61 to 0.8
5. The Matured level - above 0.8
|
Level |
Data Range |
Description |
Remark |
|---|---|---|---|
|
1 |
0 - 0.2 |
Foundation level |
The organisation or country is yet to commence a serious cybersecurity maturity programme though it has some of the control factors in place. |
|
2 |
0.21 - 0.4 |
Growth level |
The organisation or country has begun to organise its cybersecurity programme based on TCMM audit conducted but the pillars are yet to be balanced. |
|
3 |
0.41 - 0.6 |
Improved level |
The organisation or country has improved on its cybersecurity maturity indicators after a TCMM audit and the pillars are heading in the right direction. |
|
4 |
0.61 - 0.8 |
Maturing level |
The organisation or country has conducted an audit and has put in place most of the cybersecurity maturity control gaps and it is close to a balanced tripod scenario. |
|
5 |
0.81 - 1 |
Matured level |
The organisation or country has put in place all the key elements of the cybersecurity maturity indicators and is on a dynamic programme for continuous balanced pillars scenario through regular audits. |