Skip to content

Thanks to everyone who took part in the first year of the new cyber maturity benchmark – a big step in the right direction towards creating a more cyber resilient Victoria.

More than 70% of all the organisations we approached took part in the benchmark, completing their assessments and implementing the Essential Eight control strategies.

Here’s what our analysis shows:

  • ‘Patch application’ and ‘patch operating system’ strategies showed the smallest gulf between desired and actual states of maturity.
  • The ‘application control’ and ‘restrict administrative privileges’ strategies had the greatest gap between desired and actual states of maturity. Anecdotally, we know these are more difficult to implement, and Australian Cyber Security Centre (ACSC) has simple advice about implementing application control and restricting administrative privileges.
  • There’s no causal relationship between the size of the organisation and its cyber maturity. Small to medium enterprises scored equal to or higher than large enterprises on 7 out of 8 mitigation strategies.
  • Cyber maturity isn’t a function of size, but of purpose and criticality. According to the ACSC, not all organisations need to aim for the highest maturity model, as higher cyber maturity increases the burden on operating environments, and isn’t appropriate for all organisations.
  • The ACSC generally recommends:
    • Maturity level 1 for small-to-medium enterprises
    • Maturity level 2 for large enterprises, and
    • Maturity level 3 for critical infrastructure providers and other organisations that operate in high-threat environments.

Year 2 assessments open; more support available to build your cyber maturity

VMIA and DPC’s Cyber Security Unit are here to help you build your cyber maturity.

Complete the assessment or contact your risk adviser at to find out more.