Maturity is an interesting word. We\u2019ve heard it throughout our lives and it\u2019s had different meanings in different contexts.\u00a0 As a child, we heard it from our parents regarding \u201cgrowing up\u201d or \u201cbeing more mature\u201d.\u00a0 We may not have entirely understood it then, but our parents knew that developing maturity would be important for friends, colleagues and peers to take us seriously. \u00a0As we grew older, we began to understand the concept of maturity and that it could be compared closely to wisdom. \u00a0We began using what we learned through experience and started applying that knowledge to our decision-making process.Today we hear the word maturity frequently in the workplace.\u00a0 We see it used in processes, methodologies, rating scales, etc., and from a technology and process standpoint, maturity can be applied to cybersecurity as well, although its applicability and benefit isn\u2019t always readily apparent.\u00a0Case in point.\u00a0 Recently, over lunch, I was attempting to explain the purpose and benefit of cybersecurity maturity to a business colleague.\u00a0 Based on his skeptical expression, it was clear to me that I wasn\u2019t succeeding.\u00a0 He fully understood compliance and the implications of non-compliance, but wasn\u2019t grasping the value of maturity and how it was relevant in the security space.\u00a0I thought about what was personally important for me to secure, and the answer was easy \u2013 my family.\u00a0 I then thought about an area where compliance comes into play and how it is typically used to determine effectiveness \u2013 home fire safety.\u00a0 Using that as an example, I asked him to rate his family\u2019s level of home fire safety on a scale of 1-5. \u00a0"4-5," was his response.\u00a0"I have the best smoke alarms money can buy.\u00a0 I have one on each floor and in each bedroom, as I\u2019m required to by code.\u00a0 In addition, I have a fire extinguisher in the house and one in the garage."\u00a0From a compliance standpoint, we both agreed that his score of 4-5 was likely accurate, and one could say that he had gone above and beyond the minimum standard. \u00a0I then challenged him to look at it from a maturity perspective, using a series of ad-hoc questions as a baseline:\u00a0Do you test your smoke alarms?Do you have a regular schedule for replacing the batteries or do you replace them only when the alarm tells you to?Do you have a family communication and logistics plan that you can put into action if an alarm sounds in the middle of the night?Do you practice the plan?Does everyone in your family know where the fire extinguishers are?Does everyone in your family know how to use the fire extinguishers?Is there a pre-determined family assembly area outside?As he considered each question, I then asked, now that he\u2019d added a maturity measurement to compliance, what would he rate his family\u2019s level of fire safety?\u00a0 "Probably a 1-2," was his concerned reply.While this may be a simple example, it begs a question.\u00a0 Traditional compliance and operational data is important, but does it provide adequate context to truly evaluate capability?\u00a0 Using the fire safety example above, it doesn\u2019t appear to.\u00a0 My colleague had all the required detection mechanisms in place, including some additional preventative measures, but any significant capability for his family to respond effectively to a fire simply wasn\u2019t there.The same question can be asked of a cybersecurity organization, and a growing number of security leaders are adopting maturity as a metric to analyze and determine their team\u2019s strategic capabilities because the hundreds of individual controls, while critical, only represent a point in time.\u00a0Cybersecurity maturity, used as a performance metric, offers additional insight into how the security organization is operating.\u00a0 It can be used to analyze compliance and operational data at the process or function level.\u00a0 Trends can be discovered, monitored and adjusted for.\u00a0 An enterprise security training program may have all the right features in place, for instance, but the open rate of phishing emails by employees isn\u2019t decreasing over time.\u00a0 Do the components of the training program need to be adjusted or does the content?\u00a0 Or, does the challenge lie within another function or process outside of the training program? \u00a0\u00a0The use of maturity to analyze the capabilities of those processes can likely answer those questions.In today\u2019s evolving threat landscape, effective metrics are critical to security success.\u00a0 Controls and operational data are required to run the organization today.\u00a0 Strategic KPIs, such as maturity, are also required to measure, profile and plan the security organization\u2019s capabilities for both today and tomorrow.\u00a0 Performing a cybersecurity maturity assessment on the security organization will likely yield valuable insights.\u00a0 There are excellent sources available that show where to begin and how to demonstrate the value of measuring cybersecurity capabilities and effectiveness.\u00a0 (An example can be found here).Ultimately, the best smoke alarms money can buy are powerful tools in the event of a fire, but only if everyone has the capability and maturity to respond effectively.