If you have been through a Firestorm assessment, you have received a Cyber Index score: a number between 0 and 100 that summarizes your organization's cybersecurity posture across domains including governance, identity management, endpoint protection, network security, data protection, incident response, security awareness, and vendor management. Each domain is weighted by its impact on overall risk, so a weakness in incident response moves the composite more than a gap in a low-risk configuration standard.
The score is the headline of the deliverable, but it is the least actionable part. The value comes from how you use it: reading it in context, briefing leadership with it, and converting the findings beneath it into a plan.
Reading the Score in Context
Scores map to four maturity tiers, from Foundation through Resilience. The tier definitions, the domains behind them, and how they align to frameworks such as NIST CSF and CIS Controls are covered in our guide to the STORM Risk Tier Framework. This article assumes that background rather than repeating it.
Two pieces of context matter more than the composite number. The first is the domain breakdown. A 55 built on strong technical controls and weak governance calls for different work than a 55 with the opposite shape, and the domain-level results are where that difference shows. The second is comparison. Your results are compared against the patterns we observe across similar organizations: public-sector entities of comparable size and structure, including school districts, colleges, and municipalities. That comparison is directional rather than statistical, and we present it that way. Its purpose is to tell you whether a domain result is typical for organizations like yours or an outlier worth attention.
Briefing Your Cabinet and Board
The Cyber Index is designed to be presented to non-technical leadership without translation. A briefing that works in a cabinet or board setting covers four things:
- The composite score and tier, in plain language, with one sentence on what the tier means operationally
- The two or three domains that drive the score, covering strengths as well as gaps
- The top recommendations from the findings, each tied to the risk it reduces
- The expected timeline and investment, even at rough order of magnitude
Boards do not need the technical findings. They need to understand what the organization is exposed to, what is being done about it, and which decisions are theirs to make. A statement such as "our incident response domain sits below what we see in comparable organizations, and here is the plan to address it" gives a board something to govern; a list of technical findings does not.
Turning Findings Into a 12-Month Roadmap
The findings that accompany the score are the working document. The pattern that converts them into a roadmap:
- Sequence by risk and feasibility together. Start with items that are both high-impact and achievable in your environment, such as MFA enforcement gaps, untested backups, and missing incident response basics. Items that are valuable but structural, such as data classification or zero trust elements, belong in later quarters.
- Assign each item an owner and a quarter. A finding without a named owner and a target date is an observation rather than a plan.
- Connect the roadmap to existing cycles. Budget requests, board calendars, insurance renewals, and audit schedules create natural deadlines. A roadmap aligned to those cycles gets resourced; one that ignores them competes for attention.
- Report against it quarterly. The roadmap doubles as the reporting structure. Each leadership update covers what closed, what moved, and what is blocked.
What Changes the Score and What Does Not
Scores move when controls change in ways the methodology measures: MFA coverage extended, an incident response plan written and exercised, vulnerability scanning operating on a cadence, vendor reviews documented, policies approved and current. Documentation carries real weight here, and that is by design rather than bureaucracy. A control that exists only in one person's practice is fragile, and the framework scores the organization rather than the individual.
Spending alone does not move the score. A tool that is purchased but not fully deployed, a policy that leadership never approved, or a single training session without a recurring program leaves the underlying posture, and therefore the score, where it was. The score also does not credit activity the assessment cannot see: undocumented practices may be real, but they cannot be verified, sustained, or handed to a successor.
How Re-Assessment Measures Progress
A single assessment establishes a baseline; re-assessment turns the score into a trend. Because the methodology is consistent between cycles, movement in the score reflects movement in the program rather than a change in measurement. Domain-level comparison between cycles shows where the roadmap delivered and where items stalled, which is often more useful than the change in the composite.
The goal of the cycle is not a particular number but a posture that is demonstrably improving, documented well enough to survive staff changes, and legible to your board, your insurer, and your auditors. The re-assessment score is the simplest evidence of that progress.
Have questions or need support with your Cyber Index score? Start a conversation.