Part 1: Most Businesses Do Not Know Their Cybersecurity Posture
A lot of companies say they measure themselves against the NIST Cybersecurity Framework.
The harder question is this:
Can they show the receipts?
That is where things usually get interesting.
I have worked in technology and cybersecurity long enough to know that most companies are not ignoring security. In fact, many are doing a lot of good things. They have MFA. They have endpoint protection. They have email security. They have backups. They have firewalls, policies, ticketing systems, vulnerability scans, cyber insurance applications, and maybe even a few security dashboards.
But having security tools is not the same as knowing your cybersecurity posture.
And saying “we align with NIST CSF” is not the same as proving that you have actually measured yourself against it.
That is the gap I want to talk about in this series.
The uncomfortable truth about cybersecurity readiness
Most companies are not starting from zero.
That is an important point.
The problem is usually not that nobody cares about cybersecurity. The problem is that cybersecurity programs grow in pieces.
A company adds MFA because of an insurance requirement. Then it adds endpoint protection after a security review. Then it improves backups after a ransomware story scares the leadership team. Then it writes policies because a customer asks for them. Then someone starts tracking vulnerabilities because an audit or assessment raised the issue.
Before long, the company has a lot of cybersecurity activity happening.
But activity is not the same as maturity.
That is where many businesses get stuck.
They have tools. They have effort. They have good intentions. What they often do not have is a clear, structured, business-readable way to answer:
Where do we actually stand?
Not where do we think we stand.
Not what tools did we buy.
Not what did we say on the last questionnaire.
Where do we actually stand?
“We use NIST CSF” needs to mean something
NIST CSF is a great framework because it gives organizations a common language. It helps structure cybersecurity around practical outcomes like governing risk, identifying assets, protecting systems, detecting threats, responding to incidents, and recovering from disruption.
That is valuable.
But I have also seen how easily “we align to NIST” can become a vague statement.
There is a big difference between saying:
“We generally use NIST CSF as guidance.”
And saying:
“We completed a NIST CSF 2.0 self-assessment, reviewed our maturity across the framework, identified gaps, prioritized remediation, and can show the data behind our results.”
The second version carries weight.
It gives leadership something to discuss. It gives IT and security teams something to work from. It gives customers, auditors, insurers, and business partners something more meaningful than a generic statement.
It shows that the company is not just talking about cybersecurity readiness.
It is measuring it.
The receipts are usually missing
This is the part that keeps showing up.
A business may be able to explain its security program in a meeting. Someone can describe the tools. Someone can explain the backup process. Someone can talk about access control, email security, vulnerability scans, or incident response.
But when asked for a structured view of the program, the evidence is often scattered.
It may be sitting in spreadsheets, policy folders, tickets, old audit responses, vendor portals, email threads, and someone’s memory.
That makes it hard to answer basic questions like:
- What is our current cybersecurity maturity?
- Which NIST CSF areas are strongest?
- Which areas need the most attention?
- What are our top risks?
- What should we fix first?
- What have we improved since the last assessment?
- What can we confidently share with leadership or customers?
When those answers are not easy to produce, cybersecurity becomes harder to manage.
Not because the team is bad.
Not because the company does not care.
But because the organization does not have a repeatable way to measure and communicate readiness.
Tools do not automatically create maturity
This is one of the biggest misconceptions in cybersecurity.
Buying a tool may improve capability, but it does not automatically create a mature program.
For example:
MFA may be enabled, but is it enforced everywhere it matters?
Backups may exist, but has anyone tested a restore recently?
An incident response plan may be written, but has the team practiced it?
Logs may be collected, but is anyone reviewing or correlating them?
Policies may exist, but are they current, approved, and understood?
Vendors may be onboarded, but is anyone reviewing vendor risk?
Executives may get security updates, but are they seeing risk in a way they can act on?
That is the difference between having security components and having cybersecurity readiness.
Readiness is about whether the organization can understand its risk, make decisions, respond under pressure, and improve over time.
Why this matters more now
The pressure on businesses is increasing.
Customers are asking more detailed security questions. Cyber insurance applications are getting more specific. Boards and executives want clearer visibility. Auditors and assessors want evidence. Business partners want confidence that their data and systems are not being put at unnecessary risk.
And the old answers do not work as well anymore.
“We take cybersecurity seriously” is not enough.
Everyone says that.
The better answer is:
“Here is how we measure cybersecurity readiness, here is where we are strong, here are the gaps we found, and here is what we are doing next.”
That is a stronger conversation.
It is also a more honest one.
Self-assessment is not a shortcut. It is a starting point.
Not every business can hire a full-time CISO.
Not every business has a GRC team.
Not every business is ready for a formal audit or a large consulting engagement.
But every business can start by measuring itself in a structured way.
A self-assessment is not a certification. It is not an audit opinion. It does not magically make a company compliant or secure.
But it does create visibility.
And visibility matters.
A good self-assessment helps a company understand:
- Where it is strong
- Where it is exposed
- Where it has process gaps
- Where leadership needs to pay attention
- Which fixes should come first
- What progress looks like over time
That is how companies move from assumption to evidence.
This is especially important for small and mid-sized businesses
Large enterprises usually have more resources. They may have dedicated security teams, risk teams, compliance teams, internal audit, outside advisors, and executive reporting structures.
Smaller and mid-sized businesses often do not.
But they still face real cybersecurity expectations.
They still have customer data. They still rely on cloud systems. They still have employees, identities, endpoints, email, vendors, financial systems, and sensitive information. They still need insurance. They still answer customer questionnaires. They still need to recover if something goes wrong.
In many ways, these are the businesses that need practical cybersecurity readiness the most.
They do not need another complicated framework binder that sits on a shelf.
They need a way to understand where they stand, what matters most, and what to do next.
Moving from guesswork to measurable readiness
That is really the point of this series.
Cybersecurity readiness should not be based on gut feel.
It should not depend on whoever happens to know where the spreadsheet is.
It should not be something a company only thinks about during an audit, insurance renewal, customer review, or incident.
It should be measured.
It should be documented.
It should be understandable to both technical teams and business leaders.
The goal is not to make every company look perfect. No company is perfect.
The goal is to move from:
“We think we are in decent shape.”
To:
“Here is our current posture, here are the gaps we found, here are the priorities, and here is how we are improving.”
That is what real cybersecurity readiness looks like.
Why I am writing this series
I am writing this series because I believe there is a practical gap in the market.
There are plenty of tools for large enterprises. There are plenty of consultants for companies with big budgets. There are plenty of frameworks, policies, control libraries, and compliance checklists.
But many businesses still struggle with a basic question:
How do we actually measure where we stand?
That is the gap I have been focused on with BESTcyberIQ.
BESTcyberIQ is my attempt to help bridge the space between cybersecurity frameworks and real-world business readiness. The goal is to help organizations complete a practical NIST CSF 2.0 self-assessment, document their posture, identify gaps, and turn those results into something leadership can understand and act on.
Because if a company says it aligns with NIST CSF, it should be able to show how it measured that alignment.
It should be able to show the receipts.
And cybersecurity readiness needs receipts.
That is the problem I want to help solve.
William Tulaba is a cybersecurity executive and security engineering leader focused on enterprise security strategy, cloud risk, and security operations.