Insights

Why Arba relies on maturity scores

February 11, 2025

When you use the Arba platform, you choose a standard or framework to work with and fill out a questionnaire regarding how far you have already come with implementing that standard.

The situation might remind you of an audit situation or of writing a statement of applicability, where you decide for each control: Has this been implemented?

But there is one important difference. Arba asks for your level of maturity, and not whether you have implemented the control, yes or no.

But what is maturity and how and why does Arba use it?

What maturity is

In the context of the tech industry and cyber and information security, maturity refers to how well-developed a certain capability is within an organization. Is it barely more than a thought and a thing that the organization might be able to do? Or is it part of a well-oiled machinery of educated professionals with processes, practices and supporting tools?

Any organization must be interested in the questions: Are we doing the right things? And: Are we doing things right? Understanding the maturity of core capabilities is a great help when figuring this out.

As part of their work with helping organizations measure and mature capabilities, the University of Carnegie Mellon once developed the Capability Maturity Model Integration (now owned by ISACA), which is a program to advance organizational capabilities. From their work, we get the CMMI scale, a widely recognized way of measuring maturity on a five-point scale.

There are many different formulations of what the five levels mean, we offer an instructive, but improvised description here:

  1. Initial:
    When we perform the tasks related to this capability, we do so on our own bottom-up initiative without training, standardization, governance or strategic considerations.
  2. Managed:
    The tasks related to this capability are placed under named managers who have made and perhaps documented key decisions regarding the topic. But our ways of working remain unstandardized, under-strategized, and incomplete.
  3. Defined:
    The capability is defined with governance, standards and clear expectations under responsible well-defined management. This is the level many of us associates with compliance, we’re good on paper, perhaps in the real world as well.
  4. Quantitatively managed:
    The capability is well-defined and documented, and the effectiveness of the related controls are known from data being collected and analyzed.
  5. Optimizing:
    Building on a quantitatively managed capability, we are now focusing on optimizing and ensuring that we discover opportunities for improvements, adjustments, savings and proactive action.

How does Arba use maturity and why?

Arba is a platform that provides automated cyber and information security consulting. By basing the advice within the platform on a measure of maturity rather than a yes/no, Arba can provide advice that does not simply consist of a series of overwhelmingly large and expensive implementation projects, instead Arba provides advice for bite-sized, prioritized tasks that help organizations build their maturity incrementally.

Within large organizations, we have often seen that projects for cyber and information security have been seen as failures by management because the people responsible for implementation come back time and again to address the very same controls, they addressed several times before. This is frustrating to those responsible for allocating budgets and hiring professionals.

The unwelcome truth to the managers accountable is that iteration over the same controls is indeed best practice. And the unwelcome truth to the professionals responsible is that they should be able to plan for this in a transparent way when asking for resources in the first place. Arba addresses this pain by providing up front action plans for addressing the controls several times over through subtasks, allowing for more transparent and cost-effective planning in the first go.

A final truth which is sometimes welcomed with open arms, and sometimes begrudgingly ignored, is that all organizations should not strive for maximum security maturity.

Based on first assessing your company risk profile, Arba suggests a target level of maturity fit for your organization. You can accept the suggestion or pick a different target, but you must pick a target to go on. Based on a combination of where you are (your maturity) and where you want to go (your target), Arba identifies the many relevant tasks which will be relevant to your security journey.

Without maturity, Arba would be selling one-size-fits-none security advice in a nice wrapping. Hopefully, you’ll find that Arba is in fact tailored and prioritized for your needs.

Get in touch

Measure, improve, secure

Arba uses maturity scores to track progress, prioritize risks, and strengthen cybersecurity with a structured, data-driven approach.

Book discovery call

Niklas Rendboe is an information security expert specializing in governance, risk, and compliance. He serves as the Chief Information Security Officer (CISO) at Arba Security and works as a cybersecurity consultant at Trustworks Cyber Security.

Additionally, he is a member of a research group at the Royal Danish Defence College, where he studies Russian military capabilities, and he has served in several advisory roles concerning private actors in security politics.

Niklas earned his MSc in International Security & Law from the University of Southern Denmark in 2019 and holds multiple certifications related to information security and risk management.