The Australian edition of CSO Australia has some useful tips on evaluating your risk profile against the four levels of cybersecurity risk management sophistication from the NIST framework:
“Tier 1 (Partial) this describes organisations where cyber risk management processes are not formalised and for whom risk is managed in an ad hoc fashion.
For Tier 1 organisations, cybersecurity risk is an IT issue. This is tackled by an internal team with little to no external collaboration.
Tier 2 (Risk Informed) this is where cybersecurity risk management is acknowledged and a concern. However this is still in the main managed by IT, there is a policy in place and there is some movement to working with others at an industry level.
Tier 3 (Repeatable) when there is a comprehensive risk management policies and practices that are understood and implemented across the organisation. Also there are broader industry connections to address cybersecurity risk and sharing of information.
Tier 4 (Adaptive) This is the maturity level of organisations whose cybersecurity risk management is in a continuous improvement loop with lessons learned from personal and third-party experiences. These companies have made cybersecurity risk management part of their corporate culture and they actively contribute risk information to larger industry efforts.”
The author goes on to identify ten practical steps to improve maturity.