Has anyone used CMMI Cybermaturity framework to benchmark or improve Cybersecurity maturity? I believe it is suitable to large organizations and not small or medium ones. It also needs a lot of time in order to show improvements, do you agree?

2.9k views4 Comments

Sort by:

CISO in Miscellaneous4 days ago

Our 3rd party assessment partner used CMMI to measure and score us against the NIST CSF v2 that we align with.

VP of Operations10 days ago

We use the Essential 8.
I believe an overall framework is key to get the whole organization to align and take the necessary steps to reach the necessary maturity in this field even if this can be perceived as slow at times.

Chief Information Security Officer in Governmenta month ago

We use NIST but that is principally because of how widely it is used. My advice would be to clear what you are doing the maturity and benchmarking assessment for. If it is to measure progress internally, self assessment is more engaging so use something familiar to the workforce. If you wish to benchmark, consider what others in your field most often use. If it is to provide independent assessment to stakeholders, consider who they would trust to do it and what is most familiar to them.

Director of Information Securitya month ago

It's too extensive for us, so we only use NIST

Content you might like

Are you using external services/MSSP for API security monitoring?

Yes62%

No32%

Currently considering this option5%

Don't know/other

View Results

Disesdi Susanna Cox outlines 3 critical threats:
1. Non-deterministic decisions – same prompt, different actions (e.g., unintended transfers).
2. Cascading failures – multi-step tasks = more attack surface.
3. Emergent behavior – guardrails can’t cover infinite edge cases; focus on blast radius and recovery.

3 Controls to Implement Now:
• Map agent workflows to attack tactics (MITRE ATLAS)
• Weekly prompt-injection tests (OWASP + CSA)
• Least-privilege, expiring agent tokens (NIST AI RMF + CSA MAESTRO)

Which control or framework gives you the biggest headache, and how are you tackling it?

Full analysis: https://disesdi.substack.com/p/openai-just-dropped-their-agentic

Are you currently using a standard framework to manage AI risk?

Yes33%

Currently discussing which framework to adopt47%

Currently discussing whether we need to adopt a framework16%

No4%

View Results

Has anyone used CMMI Cybermaturity framework to benchmark or improve Cybersecurity maturity? I believe it is suitable to large organizations and not small or medium ones. It also needs a lot of time in order to show improvements, do you agree?

Sort by:

Content you might like

Are you using external services/MSSP for API security monitoring?

Are you currently using a standard framework to manage AI risk?

What frameworks are you using for AI risk management?

What sets us apart?

Take Your Insights On-the-Go