Has anyone used CMMI Cybermaturity framework to benchmark or improve Cybersecurity maturity? I believe it is suitable to large organizations and not small or medium ones. It also needs a lot of time in order to show improvements, do you agree?

923 views2 Comments

Sort by:

Chief Information Security Officer in Governmenta day ago

We use NIST but that is principally because of how widely it is used. My advice would be to clear what you are doing the maturity and benchmarking assessment for. If it is to measure progress internally, self assessment is more engaging so use something familiar to the workforce. If you wish to benchmark, consider what others in your field most often use. If it is to provide independent assessment to stakeholders, consider who they would trust to do it and what is most familiar to them.

Director of Information Security5 days ago

It's too extensive for us, so we only use NIST

Content you might like

Updated NIST password guidelines — what do you think of the recommendation to include emojis as acceptable characters?

Very positive – Offers more flexibility & personalization19%

Somewhat positive – Could enhance security if used correctly47%

Neutral – I doubt it will significantly impact security26%

Somewhat negative – May lead to predictable patterns7%

Very negative – Complicates password creation without much benefit

View Results

OWASP top 10 for LLMs - which ones are you most concerned about for the immediate future?

Prompt injection16%

Insecure output handling40%

Training data poisoning22%

Model denial of service14%

Supply chain vulnerabilities17%

Sensitive information disclosure29%

Insecure plugin design21%

Excessive agency9%

Over reliance on LLM9%

Model theft4%

View Results

Disesdi Susanna Cox outlines 3 critical threats:
1. Non-deterministic decisions – same prompt, different actions (e.g., unintended transfers).
2. Cascading failures – multi-step tasks = more attack surface.
3. Emergent behavior – guardrails can’t cover infinite edge cases; focus on blast radius and recovery.

3 Controls to Implement Now:
• Map agent workflows to attack tactics (MITRE ATLAS)
• Weekly prompt-injection tests (OWASP + CSA)
• Least-privilege, expiring agent tokens (NIST AI RMF + CSA MAESTRO)

Which control or framework gives you the biggest headache, and how are you tackling it?

Full analysis: https://disesdi.substack.com/p/openai-just-dropped-their-agentic

Has anyone used CMMI Cybermaturity framework to benchmark or improve Cybersecurity maturity? I believe it is suitable to large organizations and not small or medium ones. It also needs a lot of time in order to show improvements, do you agree?

Sort by:

Content you might like

Updated NIST password guidelines — what do you think of the recommendation to include emojis as acceptable characters?

OWASP top 10 for LLMs - which ones are you most concerned about for the immediate future?

What frameworks are you using for AI risk management?

What sets us apart?

Take Your Insights On-the-Go