- Download Report Download Report
The Kroll Detection and Response Maturity Model highlights the gap between organizations’ perceptions of their detection maturity status and their actual cybersecurity practices.
Kroll’s Detection and Response Maturity Model (“Model”) provides a structured framework for understanding how key detection and response components contribute to an organization’s overall maturity, considering capabilities, resources, insurance and overall preparedness. The Model highlighted a significant ROI for mature organizations, as well as considerable discrepancies between perceived and actual maturity.
View the Interactive Detection and Response Maturity Curve
Use the interactive model below to explore how revenue, region and key industries fall within the maturity curve:
Developing the Detection and Response Maturity Curve
A hallmark of a mature cybersecurity program is the ability to rapidly and accurately detect a threat and confidently respond to it in a manner that minimizes its potential impact. However, believing you are cyber mature and actually being cyber mature is very different.
To find the right answer, we leveraged data uncovered in our The State of Cyber Defense 2023: The False-Positive of Trust, which included answers from 1,000 global security decision-makers. Layering those responses with Kroll’s frontline threat intelligence, we examined the perceptions and realities of threat detection and response in today’s landscape to develop the Model. This Model will help security leaders benchmark their programs, prioritize investments and increase resilience.
Our framework established three categories: Novice, Explorer and Trailblazer. Novices have low cyber maturity, Explorers showed average maturity and Trailblazers demonstrated the highest maturity.
They are likely to be using simpler collection and monitoring tools to detect cyberattacks and may not have any actions for responding to high-severity threats or use threat monitoring and investigation as their only defenses. They only have a few elements in their cybersecurity program.
They may have access to limited threat intelligence and can create some custom use cases/rules to alert them of known cyberattacks and use multiple tools to detect high-severity threats. They have multiple elements in their cybersecurity program.
They are likely leveraging various sources of threat intelligence to continuously improve detection rules, proactively hunt for unknown behavior to detect cyberattacks, or some may be able detect threats in real-time. They have many actions to respond to high-severity threats, including remediation and digital forensics. They are likely to have a large toolkit in their cybersecurity program.
Detection and Response Maturity Delivers ROI
The number of security incidents is significantly lower for Trailblazer organizations, compared with the other two groups (figure 3). This, combined with the high cost of a data breach, demonstrates that moving from Novice or Explorer level to Trailblazer status could save organizations millions of dollars a year (figure 4).