The cyber environment is filled with threats. It\u2019s virtually impossible to avoid \u201cINFRASTRUCTURE FACES IMMINENT CYBER ATTACK,\u201d or something very similar every time you encounter online or television news. Nobody argues that there\u2019s no threat. At the same time few people, much less experts, agree on how to solve the threat.\u00a0Let\u2019s go a step beyond acknowledging our infrastructure is in danger. How do we quantify the threat and our preparation to respond? How do you, our nation\u2019s cybersecurity professionals, assess the readiness and agility of an organization, and more importantly how do you describe the threat and defense landscape to people outside the profession?\u00a0While not advocating any particular tool, the maturity-model assessment family in general is geared to a cybersecurity program assessment as opposed to a risk or a threat assessment. Most models present a common set of industry-vetted, best practices in cybersecurity. These may go even further, matching your status to industry maturity levels.Scores are based on the organizations risk tolerance for multiple domains. These can include cybersecurity approach, management objectives, and operational and technical practices. After a facilitated assessment or self-assessment tool is completed, a score is assigned. Scores then are compared within and possibly between industry sectors to categorize your organization in relation to your peers.[ ALSO ON CSO: What\u2019s in a security score? ]Why go through all this work? Maturity models can help you to paint a clear and compelling picture of the gap between threat and preparation -- not only for infrastructure defenders, but for you management when it\u2019s time to request resources.Return on investmentWhy wouldn\u2019t you use a tool like this? After all, you\u2019ve already paid for it! That\u2019s right; one of the most functional and popular tools within the Natural Gas Subsector is the Department of Energy\u2019s Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2).\u00a0The ONG-C2M2 includes the generic C2M2 assessment and adds additional reference material and implementation guidance specifically tailored for the oil and natural gas subsector. The ONG-C2M2 comprises the aforementioned maturity model, an evaluation tool, and DOE- facilitated self-evaluations.Generic Cybersecurity Maturity ModelAs I prepare this blog I\u2019m sitting in a live, two-day, facilitated ONG-C2M2 session to observe an experienced facilitator, industry partners, and the evaluation process. Active facilitation simplifies everything by clarification and guidance that increases the accuracy and provides interpretation of the final results. The C2M2 models are publicly\u00a0available\u00a0and, while designed for the energy sector, still can be used as a foundation by any organization to enhance its cybersecurity capabilities.Electric Subsector ModelWhile not mandatory, compliance with and measured maturity within a government-authored assessment tool can go a long way to assure stakeholders of your commitment to cybersecurity. It might offset potential liability as well.Real-world experiencesYour feedback is not only appreciated by me but will certainly be well-regarded by your sector and sub-sector partners. You are encouraged to comment on this blog!What impresses me may not impress you. Cyber defender peers, have you encountered any of these tools? Have you found them useful? Cumbersome? What alternatives have worked for you?What, if any, positive or negative effects have the results had within your organization?\u00a0 How does the C-suite regard the results of the tool? Did the evaluation result in a clear, usable picture of your threat and defense landscape? Did it help your department get more resources?Nobody stands alone in defending our critical cyber infrastructure. Everybody depends on somebody for resources. Maturity models\/evaluation tools such as the ONG-C2M2 can turn cyber-speak into a story that compels your leadership to action.