Lesson 18: Cybersecurity Maturity Assessment — How to Measure Your Current Posture

What You Will Learn in This Lesson

• What a cybersecurity maturity assessment is and why Saudi regulators expect one
• How to score your organization across SAMA CSCC domains using a 5-level maturity model
• Practical steps to run a self-assessment, identify gaps, and prioritize remediation
• How to translate maturity scores into an executive roadmap that boards and regulators understand

Why "Are We Secure?" Is the Wrong Question

Ask any CISO whether their organization is secure and you will get a complicated answer. Security is not binary — it is a spectrum. The real question is: "How mature are our cybersecurity capabilities relative to the threats we face and the regulations we must meet?" A maturity assessment answers that question with data instead of gut feeling. It maps every security domain — from governance to incident response — onto a repeatable scale, giving you a baseline you can measure progress against quarter after quarter.

Both SAMA and NCA explicitly require regulated entities to evaluate their cybersecurity posture periodically. SAMA's Cyber Security Framework (CSCC) embeds maturity evaluation into its supervisory review process, while NCA's Essential Cybersecurity Controls (ECC) expect organizations to demonstrate continuous improvement. If you cannot show where you stand today, you cannot prove you are moving forward — and that is a regulatory risk on its own.

Understanding Maturity Levels

Most cybersecurity maturity models use a five-level scale. While exact labels vary between frameworks, the concept is consistent. Level 1 (Initial/Ad Hoc) means processes exist only informally — individuals do the right thing sometimes, but nothing is documented or repeatable. Level 2 (Repeatable) means basic processes are defined and followed for common scenarios, but they are not standardized across the organization. Level 3 (Defined) introduces formal, documented policies and procedures applied organization-wide. Level 4 (Managed) adds quantitative measurement — you track KPIs, monitor control effectiveness, and use metrics to make decisions. Level 5 (Optimized) means continuous improvement is embedded; you proactively adapt controls based on threat intelligence, lessons learned, and emerging risks.

Practical Example: Consider access management at a Saudi bank. At Level 1, employees share admin credentials informally. At Level 3, the bank has an IAM policy, uses Active Directory with role-based access, and runs quarterly access reviews. At Level 5, the bank uses automated identity governance with real-time anomaly detection, integrates with HR for instant provisioning and de-provisioning, and continuously benchmarks against SAMA CSCC Domain 5 requirements.

Choosing Your Assessment Framework

Saudi organizations have several maturity frameworks available, but the choice depends on your regulatory obligations. If you are a SAMA-regulated financial institution — a bank, insurer, or fintech — the SAMA CSCC framework is your primary benchmark. It covers four domains: Cyber Security Leadership and Governance, Cyber Security Risk Management and Compliance, Cyber Security Operations and Technology, and Third Party Cyber Security. Each domain has sub-domains with specific controls, and SAMA expects you to demonstrate maturity against each during supervisory reviews.

If you fall under NCA jurisdiction (government entities, critical national infrastructure), the ECC framework and its companion National Cybersecurity Assessment Tool (NCAT) provide the assessment structure. For organizations pursuing international recognition, mapping to NIST CSF 2.0 or ISO 27001:2022 maturity is valuable — especially when dealing with global partners or investors. The good news: these frameworks overlap significantly, so a well-structured assessment can serve multiple purposes simultaneously.

Running a Self-Assessment: A Step-by-Step Approach

You do not need a consultant to start. A disciplined internal team can run a meaningful first assessment in two to four weeks. Here is a practical method:

Step 1 — Scope and Stakeholders. Define what is in scope: the entire organization, a specific business unit, or a particular system. Identify stakeholders from IT, security, compliance, operations, and business leadership. Each will own evidence for different control domains.

Step 2 — Build Your Control Matrix. Create a spreadsheet mapping every control from your chosen framework. For SAMA CSCC, this means listing each sub-domain control with columns for: current maturity level (1–5), evidence available, gap description, risk rating (High/Medium/Low), and remediation owner.

# Example SAMA CSCC Assessment Matrix Structure (CSV)
Domain,Sub-Domain,Control_ID,Control_Description,Current_Level,Target_Level,Gap,Evidence,Risk,Owner
"1. Leadership & Governance","1.1 Cyber Strategy","CSCC-1.1.1","Approved cybersecurity strategy aligned with business objectives",2,4,"Strategy exists but not reviewed annually; no KPIs defined","Strategy doc v2.1 (2024)","High","CISO"
"1. Leadership & Governance","1.2 Organizational Structure","CSCC-1.2.1","Defined cybersecurity roles and responsibilities",3,4,"Roles defined but no RACI matrix for incident scenarios","Org chart, JDs","Medium","HR/CISO"
"2. Risk Management","2.1 Risk Assessment","CSCC-2.1.1","Periodic cybersecurity risk assessments conducted",2,4,"Risk assessment done once in 2024; no continuous process","RA Report 2024","High","Risk Manager"

Step 3 — Evidence Collection. For each control, gather documentation: policies, configurations, logs, training records, audit reports. The rule of thumb is simple — if you cannot show evidence, the control does not exist in the assessor's eyes. Common evidence types include: policy documents (PDF with approval signatures), system screenshots (firewall rules, SIEM dashboards), process records (change tickets, incident reports), and training completion certificates.

Step 4 — Scoring Workshop. Bring stakeholders together for a structured scoring session. Walk through each control, review evidence, and agree on the current maturity level. Be honest — inflated scores will collapse under regulatory scrutiny. A useful calibration technique: for each control, ask "Could we demonstrate this to a SAMA examiner today with 30 minutes' notice?" If the answer is no, the score should reflect that reality.

Step 5 — Gap Analysis and Prioritization. Calculate the gap between current and target levels for each control. Prioritize remediation using a risk-based approach: controls with High risk and large gaps come first. Group quick wins (achievable in under 30 days) separately from strategic initiatives (3–12 months).

Translating Scores into an Executive Roadmap

Maturity numbers mean little to board members unless you translate them into business language. Build a one-page executive summary that shows three things: a spider/radar chart visualizing maturity across domains (current vs. target), a risk heat map highlighting the top five gaps by business impact, and a phased roadmap with quarterly milestones, estimated investment, and the regulatory deadline each initiative addresses.

Practical Example: A Saudi insurance company completed their SAMA CSCC self-assessment and found an average maturity of 2.3 across all domains, with Cyber Security Operations scoring 1.8 — the lowest. Their executive summary framed this as: "We cannot detect a breach within 24 hours today. SAMA expects detection and reporting within 72 hours. Investing SAR 1.2M in a managed SIEM and SOC service over Q2–Q3 will close this gap and bring our Operations domain to Level 3.5." The board approved the budget in one meeting because the ask was tied to a specific regulatory requirement, a measurable outcome, and a clear timeline.

Common Assessment Pitfalls and How to Measure Progress

A maturity assessment is not a one-time project — it is a recurring discipline. Best practice is to reassess quarterly at the domain level and conduct a comprehensive assessment annually. Track your overall maturity score and domain-level scores over time. Set a target maturity level for each domain based on your risk appetite and regulatory requirements — most SAMA-regulated entities should aim for Level 3 as a minimum baseline, with critical domains (incident response, access management) at Level 4.

Use leading indicators alongside maturity scores: mean time to detect (MTTD), mean time to respond (MTTR), percentage of controls with current evidence, policy review completion rates, and employee security training completion. These operational metrics validate whether your maturity improvements are translating into real capability gains.

Linking to the Saudi Regulatory Context

SAMA's supervisory process increasingly relies on maturity-based evaluations. During periodic reviews, SAMA examiners assess not just whether controls exist but how mature they are — whether they are documented, measured, and continuously improved. Organizations that proactively conduct maturity assessments and present structured roadmaps demonstrate regulatory seriousness and often receive more favorable supervisory outcomes. NCA's NCAT tool similarly scores organizations on a maturity scale and feeds results into the national cybersecurity posture dashboard. For entities subject to both SAMA and NCA, harmonizing your assessment methodology to cover both frameworks simultaneously saves significant effort and ensures consistency.

Common Mistakes to Avoid

• Scoring aspirationally instead of honestly. Rating a control at Level 3 because a policy was drafted last year — even though nobody follows it — will backfire during a regulatory review. Score based on what is actually implemented and evidenced today, not what you plan to do.
• Treating the assessment as a compliance checkbox. Running an assessment once to satisfy an audit request, then filing it away, wastes the effort. The value comes from tracking progress over time and using gaps to drive investment decisions. Build the reassessment cycle into your annual security calendar.
• Skipping stakeholder involvement. When the security team scores controls alone, they miss operational realities. Business unit leaders know whether policies are followed on the ground. Include them in scoring workshops — their perspective prevents blind spots and builds organizational buy-in for remediation projects.

Lesson Summary

• A cybersecurity maturity assessment converts subjective security confidence into a measurable, repeatable score across defined domains — essential for both SAMA and NCA compliance.
• Use a five-level maturity model mapped to your regulatory framework (SAMA CSCC or NCA ECC), score honestly with evidence, and prioritize gaps by risk impact.
• Translate maturity data into executive-friendly roadmaps that tie investment requests to specific regulatory requirements, measurable outcomes, and clear timelines.

Next Lesson

In the next lesson we will cover: Preparing Your Organization for a SAMA Review — A Practical Checklist — a step-by-step guide to getting audit-ready, from documentation organization to mock examination walkthroughs and common examiner questions.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.