Many compliance standards treat security as binary: an organization is compliant or it is not. That framing does not reflect operational reality. A small organization with one IT generalist and a large institution with a dedicated security team face fundamentally different threat profiles and have fundamentally different resources. Holding them to the same standard helps neither.
The STORM Risk Tier Framework takes a different approach. Instead of a single bar everyone must clear, it defines four tiers of security maturity. Each tier represents a coherent, defensible posture appropriate to an organization's size, risk profile, and available resources. The goal is not to push every organization toward the highest tier but to help each organization identify the right tier and build a realistic path to get there.
The Five Domains
Scoring spans five domains, aligned to the NIST Cybersecurity Framework. Each domain captures a distinct aspect of security maturity.
Strategy. How your organization thinks about security at a leadership level. This includes risk assessments, security planning, resource allocation, and alignment between security priorities and organizational objectives.
Protect. The technical and administrative controls that prevent unauthorized access and reduce the attack surface. Endpoint protection, access management, encryption, network segmentation, and security awareness training all live here.
Detect. Your ability to identify threats and anomalies in your environment. This covers logging, monitoring, alerting, vulnerability scanning, and threat intelligence. Detection is the difference between finding an intruder in hours and finding them in months.
Correct. How your organization responds to and recovers from incidents. Incident response planning, backup and recovery, lessons learned, and communication procedures fall in this domain. Correct measures your ability to absorb a hit and keep operating.
Govern. The organizational structures and oversight mechanisms that sustain your security program over time. Policies, committees, board engagement, compliance management, and continuous improvement processes. Governance is what prevents your security program from depending on a single person's initiative.
The Four Tiers
Each domain is scored, and the composite score places your organization in one of four tiers. Explore the tiers below.
Four-Tier Security Framework
Our maturity model recognizes that effective security is not one-size-fits-all. Each tier represents a coherent, defensible posture appropriate for specific organizational contexts.
The tiers are not value judgments. A small organization operating at the Structure tier with intentional, documented practices is in a stronger position than a large organization that has purchased Vigilance-tier tools but operates them without governance or consistent processes.
Foundation (0-39%)
Foundation is the starting point for organizations early in their security journey, and it is common for small organizations with limited IT staff, minimal dedicated security budget, and competing priorities. Basic protections are usually in place (firewalls, antivirus, some form of email filtering), but documentation, formal processes, and designated security ownership are missing, so decisions are reactive, driven by incidents or audit findings rather than a plan.
Key focus areas at Foundation:
- Implement MFA on all administrative and privileged accounts
- Establish consistent endpoint protection and patching routines
- Create a simple incident response plan; even a one-page document is better than none
- Identify your most critical data and systems, and assign someone to own security
The goal at this tier is consistent, documented habits that reduce exposure to the most common attack vectors, not a comprehensive program overnight.
Structure (40-59%)
Structure represents the transition from reactive to intentional security, and it is where most organizations land on their first formal assessment. The controls exist but have not yet been organized into a cohesive program. Organizations at this tier typically have documented policies in place or in draft, a designated security coordinator, enforced MFA, tested backups, and a leadership team that recognizes cybersecurity as an organizational priority.
Key focus areas at Structure:
- Document security policies and get them formally approved
- Conduct and document an annual risk assessment
- Build a vendor management process for critical service providers
- Implement regular vulnerability scanning
- Establish a recurring board reporting cadence
Structure is where security stops being an IT-only concern and becomes an organizational capability. The test is repeatability: whether practices hold up through staff turnover, budget shifts, and changing priorities.
Vigilance (60-79%)
Vigilance represents proactive maturity: organizations at this tier actively look for threats rather than waiting to respond to them. The tier is characterized by dedicated security leadership (a CISO, a dedicated analyst, or a Virtual CISO engagement), continuous or near-continuous monitoring, regular penetration testing, and security embedded in planning, procurement, and change management.
Key focus areas at Vigilance:
- Establish 24/7 monitoring capability, in-house or through a managed provider
- Integrate threat intelligence relevant to your sector
- Conduct regular penetration testing
- Build a formal security awareness program with metrics and accountability
- Implement data classification and apply proportionate controls
Most organizations can reach Vigilance with sustained commitment and appropriate investment. It depends on dedicated leadership and organizational buy-in more than on a large security team.
Resilience (80-100%)
Resilience is the ability to absorb, adapt, and recover. Organizations at this tier assume breach, plan for failure, and validate their defenses continuously. The program is self-improving: zero trust architecture, adversary simulation, and automated response, refined with data from monitoring, testing, and incidents.
Few organizations need to target this tier. It requires significant sustained investment and fits large, complex organizations with high-value data, regulatory complexity, and sophisticated threat profiles. For most organizations, operating at Vigilance represents an excellent security posture.
Key focus areas at Resilience:
- Implement zero trust architecture across critical systems
- Conduct regular adversary simulation and purple team exercises
- Automate detection and response for common attack patterns
- Maintain a continuous improvement cycle driven by data rather than assumptions
How Tiers Map to Frameworks
The framework does not exist in isolation; it maps to the major cybersecurity frameworks your auditors, insurers, and regulators reference.
| Maturity Tier | NIST CSF | CIS Controls | CISA CPG |
|---|---|---|---|
| Foundation | Partial (Tier 1) | Working toward IG1 | Priority goals |
| Structure | Risk Informed (Tier 2) | IG1 + partial IG2 | Core CPGs addressed |
| Vigilance | Repeatable (Tier 3) | IG2 + partial IG3 | CPGs plus sector-specific |
| Resilience | Adaptive (Tier 4) | IG3 largely implemented | Extends beyond CPG scope |
This alignment means progress within the framework translates to progress against the others. If your insurer asks about CIS Controls or your auditor references NIST CSF, your maturity tier provides a clear reference point.
Finding Your Starting Point
The right starting point depends on where you are today, not where you think you should be. An honest assessment of current posture is more valuable than an aspirational target that does not account for your resources and constraints.
If you have completed a Cyber Index assessment, your score maps directly to these tiers. If you have not, our guide to understanding your Cyber Index score explains how to read the score and put it to work.
The value of a maturity model lies not in ranking organizations against each other but in giving each organization a clear picture of where it stands, where it needs to go, and what the next set of achievable improvements looks like. That is what the framework is designed to do.
Have questions or need support with assessing your security maturity? Start a conversation.