The word "maturity" appears in cybersecurity conversations so frequently that it has lost precision. A vendor pitching an XDR platform will tell you it will "mature your security posture." A CISO presenting to the board will describe the organisation as "maturing in its cyber resilience." But when SEBI's CSCRF, effective April 2025, requires regulated entities to demonstrate cybersecurity maturity and establish improvement roadmaps, it is using the word with a specific technical meaning — one drawn from the NIST Cybersecurity Framework 2.0.

For boards, the shift from vague aspiration to measurable framework is significant. It means the board can now ask a precise question — "What Tier are we at, and what is the plan to reach the next Tier?" — and expect a quantified answer backed by evidence.

01The NIST CSF 2.0 Framework: Six Functions, Four Tiers

NIST CSF 2.0, published in 2024, organises cybersecurity capability across six functions. Each function represents a distinct domain of security capability, and the maturity of each function is measured on a four-tier scale. The framework was updated in 2024 to add a sixth function — GOVERN — which is specifically about board and leadership oversight of cybersecurity. It is not a coincidence that this function was added: the regulatory environment globally, and particularly in India, is demanding board-level governance accountability.

NIST CSF 2.0 — Six Functions with Indicative Tier Scores (Illustrative)
Govern
Tier 3 — Repeatable · 75%
Identify
Tier 2–3 — Transitional · 68%
Protect
Tier 3 — Repeatable · 82%
Detect
Tier 3 — Repeatable · 71%
Respond
Tier 2–3 — Transitional · 65%
Recover
Tier 2 — Risk Informed · 58%
Govern
Identify
Protect
Detect
Respond
Recover

RiskSage computes Tier scores for each of the six functions daily, using data drawn live from the risk graph — control implementations, evidence freshness, VAPT findings, incident SLA performance, and more. The result is a maturity picture that is not a questionnaire answer or a consultant's assessment, but a continuous, evidence-backed measurement.

02The Four Tiers in the Indian BFSI Context

The four NIST CSF Tiers describe how an organisation's cybersecurity practice evolves from informal to adaptive. Here is what each tier looks like in the context of an Indian bank, insurer, or broker — and what it means for regulatory compliance.

TIER 1 Partial

Cybersecurity risk management is ad hoc. There is no consistent process for identifying, prioritising, or responding to risks. Security decisions are reactive — driven by incidents or audit findings rather than planned management. The organisation has limited awareness of its own risk profile.

In practice: A mid-size NBFC whose security team responds to alerts from a single antivirus tool, has no formal vendor risk programme, and whose board last saw a cyber risk update two years ago during an RBI audit preparation exercise.

No formal ISMS Reactive IR Manual compliance tracking No VAPT programme ⚠ Likely non-compliant: RBI, IRDAI
TIER 2 Risk Informed

Risk management practices exist but are not organisation-wide. The CISO has a defined function. There is some documentation of risks and controls. Compliance tracking is mostly manual. The organisation is aware of external threats but does not consistently update its risk posture based on the threat landscape.

In practice: A regional private bank with an ISO 27001 certification, a GRC spreadsheet, annual VAPT, and a CISO who presents to the board semi-annually — but where business units operate outside the security framework and vendor risk management is handled by procurement.

Basic ISMS Annual VAPT Some policy framework Semi-annual board review Partial CERT-In compliance
TIER 3 Repeatable

Formal, approved security policies exist and are consistently applied across the organisation. Risk management is integrated into business processes. Continuous monitoring is in place. Incident response is exercised regularly. The board receives structured cybersecurity oversight information. Third-party risk is formally managed.

In practice: A large insurer with a functioning GRC platform, regular VAPT by CERT-In empanelled firms, board attestation to IRDAI, continuous control monitoring, a vendor pre-onboarding programme, and a quarterly board cybersecurity dashboard reviewed by the audit committee.

Continuous monitoring Board governance structured Formal vendor risk mgmt Exercised IR programme ✓ Substantially compliant: RBI, IRDAI, SEBI
TIER 4 Adaptive

The organisation uses real-time data and lessons from previous incidents to continuously improve its cybersecurity practices. Security is deeply embedded in risk culture. The board uses financial quantification (CRQ) to make investment decisions. Threat intelligence is operationalised. Regulatory changes are absorbed rapidly. Security metrics drive board-level strategy.

In practice: A top-tier bank whose CISO presents a live FAIR-modelled risk exposure dashboard to the board each quarter, whose security investments are justified with ALE calculations, and whose regulatory posture is monitored against 8 regulator feeds in real time.

CRQ-driven investment Threat intel operationalised Real-time regulatory watch Adaptive security culture ✓ Leadership posture — regulatory exemplar

03The Board Maturity Assessment Checklist

Before the board can drive maturity improvement, it needs to understand where the organisation stands today. The following board-level checklist corresponds to the signals that distinguish Tier 2 from Tier 3 — the transition that most Indian BFSI organisations need to make to satisfy current regulatory expectations.

Board Governance Maturity Assessment — Tier 2 to Tier 3 Transition Checklist
Board receives a structured cybersecurity dashboard — not just a narrative — with posture scores, trend lines, and gap counts per regulatory framework
Cyber risk is quantified in ₹ crore — the board knows the financial exposure of the top 3–5 risk scenarios, not just their qualitative severity
~
Incident SLA performance is measured — CERT-In, RBI, and IRDAI deadline adherence tracked as a percentage, visible to the board
~
VAPT findings are tracked to closure — not just at the time of the VAPT report, but continuously until all CRITICAL and HIGH findings are remediated and evidenced
Security investments are justified with ROI analysis — the board has visibility into how each major security programme reduces ₹ crore of risk exposure
Regulatory change tracking is automated — when RBI or IRDAI issues a new circular, the CISO knows within days, not weeks, and can show the board the impact on control coverage
Maturity roadmap is maintained and board-approved — a quarter-level plan showing which function will reach which Tier by when, driven by in-flight security initiatives

Most Indian BFSI boards are at Tier 2. The regulatory environment is now demanding Tier 3. The gap is not technical — it is governance.

04The Path from Tier 2 to Tier 3 in 12 Months

Moving from Tier 2 to Tier 3 requires changes in four specific areas. Technical controls are rarely the bottleneck — the bottleneck is governance infrastructure: the measurement systems, the evidence trails, and the board reporting cadence that Tier 3 requires.

Months 1–2 · Foundation

Establish the measurement baseline. Deploy continuous control monitoring. Compute the current Tier score for each NIST CSF function using live data from the risk graph. The board cannot plan a journey without knowing the starting point — and the starting point must be evidence-backed, not self-assessed.

Months 3–5 · Board Governance Layer

Instrument the board oversight process. Implement the Board Cybersecurity Dashboard with regulatory scorecards, incident SLA tracking, and attestation calendar. The board starts receiving a structured dashboard — replacing the ad hoc CISO narrative — and formally reviews it quarterly as a standing agenda item.

Months 6–9 · Control Drift and Regulatory Watch

Make the posture self-maintaining. Deploy control drift detection — automated alerts when evidence expires, posture degrades, or a new regulatory circular changes the compliance picture. The board no longer needs to ask "have things changed?" — the system surfaces drift automatically.

Months 10–12 · Financial Quantification

Express risk in the board's language: money. Implement the CRQ Engine to compute ALE for the top risk scenarios in ₹ crore. Present the maturity roadmap with investment ROI — "Upgrading our PAM capability moves the GOVERN function from Tier 2 to Tier 3 and reduces identity-related ALE by an estimated ₹12 crore." The board can now make resource allocation decisions.

05How RiskSage Computes Maturity Scores

The RiskSage CISO Command Dashboard includes the NIST CSF 2.0 maturity engine — an automated scoring system that computes Tier scores for each of the six functions daily, using evidence drawn directly from the risk graph.

The score for each function is derived from the underlying graph objects. For GOVERN: board review cadence, policy approval rates, exception handling records. For IDENTIFY: asset inventory completeness, DPDP classification coverage, initiative gate completion rates. For PROTECT: UCL control implementation percentage, evidence freshness, policy attestation completion. For DETECT: VAPT coverage, monitoring rule activation rates, log retention compliance. For RESPOND: incident SLA adherence, IR playbook availability, CERT-In notification performance. For RECOVER: BCP/DR documentation, recovery testing records, RBI resilience control coverage.

Every Tier score is drillable. The board sees "RESPOND: Tier 2.8 (transitional)" and can click through to the specific control gaps driving the score. This is the evidence chain that IRDAI's board attestation and SEBI's CSCRF audit requirements demand.

Assess Your Organisation's Maturity Tier Today

The RiskSage NIST CSF 2.0 maturity engine computes live Tier scores from your actual risk graph — not a questionnaire. See where you stand across all six functions.

Request Assessment Demo