As cyber threats grow more sophisticated, internal auditors are increasingly expected to assess not just technical controls, but also the broader maturity of their organization’s cybersecurity posture. The article Understanding Cybersecurity Maturity in Practice offers valuable insights into how cybersecurity maturity models are actually applied in organizational settings—and what this means for audit and governance functions. Drawing on interviews with seasoned cybersecurity professionals, the article reveals that maturity is far more than a score—it’s a strategic and communicative tool.
For internal auditors, one of the key takeaways is that organizations rarely use cybersecurity maturity models (CMMs) as rigid benchmarks. Instead, they are often adapted to fit operational realities. Auditors may encounter organizations that nominally refer to frameworks like NIST or CMMI but implement them selectively. This pragmatic approach means auditors must go beyond documentation and ask: How is maturity understood here? What is being prioritized—and why?
The article also shows that maturity models serve important internal governance functions. They help cybersecurity teams articulate their needs to senior management, justify budget allocations, and align their roadmaps with business strategy. For auditors, this underscores the importance of evaluating not just whether a maturity model exists, but how it’s being used to support strategic alignment and risk communication.
Another important dimension is the symbolic role of maturity. Companies often describe themselves as “cyber mature” not just for internal benchmarking, but to build trust with external stakeholders such as regulators, clients, and the board. Internal auditors should be aware that such statements may reflect aspiration as much as reality, and that independent assessment of actual capabilities remains essential.
The study also suggests that formal assessments can give a false sense of security if they don’t reflect operational practice. Internal auditors are well-positioned to identify this disconnect. For example, a maturity score may indicate a “managed” process, but interviews and testing might reveal gaps in consistency or effectiveness. This highlights the need for a risk-based and evidence-oriented audit approach.
Ultimately, the article invites internal auditors to think of cybersecurity maturity not just as a compliance issue, but as part of the broader governance ecosystem. Maturity models can be powerful tools, but only if they are critically assessed, meaningfully applied, and regularly reviewed. For practitioners, this means engaging with cybersecurity not just at the control level, but at the level of strategic dialogue, culture, and communication.
The full article is available in Journal of Information Systems and further details can be accessed here.