The Australian edition of CSO.com https://www.cso.com.au/article/588781/what-your-cyber-security-risk-profile/ has some useful tips on evaluating your risk profile against the four levels of Cybersecurity risk management sophistication from the NIST framework:
Tier 1 (Partial) this describes organizations where cyber risk management processes are not formalized and for whom risk is managed in an ad hoc fashion.
For Tier 1 organizations, cybersecurity risk is an IT issue. This is tackled by an internal team with little to no external collaboration.
Tier 2 (Risk Informed) this is where cybersecurity risk management is acknowledged and a concern. However, this is still in the main managed by IT, there is a policy in place and there is some movement to working with others at an industry level.
Tier 3 (Repeatable) when there are comprehensive risk management policies and practices that are understood and implemented across the organization. Also, there are broader industry connections to address cybersecurity risk and sharing of information.
Tier 4 (Adaptive) This is the maturity level of organizations whose cybersecurity risk management is in a continuous improvement loop with lessons learned from personal and third-party experiences. These companies have made cybersecurity risk management part of their corporate culture and they actively contribute risk information to larger industry efforts.
The author goes on to identify ten practical steps to improve maturity.