"Where are we right now?"
It's the simplest question in cybersecurity, yet I've watched seasoned CISOs struggle to answer it. In 2020, I sat in a conference room with the executive team of a $300 million manufacturing company. The CEO asked their CISO to describe their current security posture. After twenty minutes of technical jargon and meandering explanations, the CEO stopped him.
"I still don't understand. Are we secure or not?"
The CISO couldn't give a straight answer. Not because he was incompetent—he was brilliant. But because the organization had never systematically assessed where they stood. They had tools, policies, and good intentions. What they didn't have was a Current Profile.
That conversation cost them. Six months later, a ransomware attack paralyzed their operations for 12 days. The recovery cost exceeded $4.2 million. In the post-incident review, the CISO told me something that still echoes: "We were flying blind. We didn't know what we didn't know."
After fifteen years of conducting NIST Cybersecurity Framework assessments, I've learned this fundamental truth: you cannot improve what you cannot measure, and you cannot measure what you haven't defined.
That's where the Current Profile comes in.
What Is a NIST CSF Current Profile (And Why Most Organizations Get It Wrong)
Let me start with what the Current Profile is NOT:
It's not a list of your security tools
It's not your security budget
It's not a penetration test report
It's not a compliance checklist
Here's what it actually is: A Current Profile is a systematic snapshot of your organization's current cybersecurity activities mapped against the NIST CSF framework.
Think of it like a comprehensive health checkup. Your doctor doesn't just check one thing—they measure blood pressure, cholesterol, heart rate, weight, and dozens of other indicators. Then they compare those measurements against established baselines to understand your overall health.
A Current Profile does the same thing for your cybersecurity posture.
"A Current Profile isn't about judgment—it's about clarity. It's the honest truth about where you are today, which is the only place you can start your journey from."
The Five Core Functions: Your Assessment Foundation
The NIST CSF organizes cybersecurity activities into five core functions. Your Current Profile assesses your capabilities across each:
Function | What It Measures | Key Question |
|---|---|---|
Identify | Asset management, risk assessment, governance | Do you know what you need to protect? |
Protect | Access control, data security, protective technology | Can you prevent security incidents? |
Detect | Anomaly detection, continuous monitoring, detection processes | Can you discover security events when they occur? |
Respond | Response planning, communications, analysis, mitigation | Can you take action when incidents happen? |
Recover | Recovery planning, improvements, communications | Can you restore capabilities after an incident? |
I remember working with a financial services company in 2021 that was convinced their security was "pretty good." When we completed their Current Profile assessment, here's what we found:
Identify: Strong (Tier 3) - Excellent asset inventory and risk processes
Protect: Moderate (Tier 2) - Good access controls but weak data protection
Detect: Weak (Tier 1) - Minimal monitoring, no SIEM
Respond: Very Weak (Tier 0) - No documented response plan
Recover: Weak (Tier 1) - Backups existed but never tested
They were shocked. "We spent $800,000 on security last year," the CFO protested. The problem wasn't the investment—it was that 78% of their budget went to prevention while detection, response, and recovery were virtually unfunded.
Three months later, they suffered a business email compromise attack. Their strong Identify and Protect functions prevented it from being catastrophic, but their weak Detect function meant the attack went unnoticed for 43 days. By the time they discovered it, $340,000 had been fraudulently transferred.
The lesson? A chain is only as strong as its weakest link, and you can't strengthen what you haven't assessed.
The Current Profile Development Process: How to Actually Do This
Let me walk you through the methodology I've refined over 15+ years and 60+ assessments. This isn't theory—this is the battle-tested process that actually works.
Phase 1: Preparation (Weeks 1-2)
Before you assess anything, you need to set the stage properly.
1. Define Your Scope
I learned this lesson the hard way in 2017. We started a Current Profile assessment for a healthcare system without clearly defining scope. Four weeks in, we were drowning in complexity—should we assess the medical devices? The third-party billing system? The physician practice networks?
Now I always start with clear boundaries:
Scope Definition Questions:
What business units are included?
What systems and assets are in scope?
What external dependencies matter?
What regulatory requirements apply?
What timeframe are we assessing?
For that healthcare system, we eventually scoped to: corporate IT infrastructure, patient data systems, and directly managed facilities. We documented external dependencies separately. This clarity saved us months of confusion.
2. Assemble Your Assessment Team
Here's who you need at the table:
Role | Why They're Critical | Time Commitment |
|---|---|---|
Executive Sponsor | Provides authority and resources | 2-4 hours total |
IT Leadership | Understands technical infrastructure | 20-30 hours |
Security Team | Knows current controls and gaps | 40-60 hours |
Compliance Officer | Understands regulatory requirements | 10-15 hours |
Business Unit Leaders | Provides business context | 8-12 hours each |
Risk Management | Connects security to business risk | 15-20 hours |
Pro tip: Don't try to do this alone. I watched a CISO attempt a solo Current Profile assessment in 2019. He spent six months on it, missed critical gaps, and produced a document nobody trusted because it lacked input from key stakeholders.
3. Establish Your Assessment Criteria
You need consistent criteria to evaluate each category. I use a four-level maturity scale:
Maturity Level | Description | Indicators |
|---|---|---|
Level 0 - Absent | No capability exists | No processes, tools, or awareness |
Level 1 - Initial | Ad-hoc, reactive capability | Informal processes, inconsistent application |
Level 2 - Managed | Documented, repeatable capability | Formal processes, regular execution |
Level 3 - Defined | Standardized, organization-wide | Integrated processes, continuous improvement |
Level 4 - Optimized | Adaptive, learning capability | Predictive analytics, automated optimization |
Phase 2: Data Collection (Weeks 3-6)
This is where the real work happens. You're gathering evidence across all 23 NIST CSF categories and 108 subcategories.
Data Collection Methods I Use:
1. Document Review (30% of assessment time)
Security policies and procedures
Network architecture diagrams
Asset inventories
Risk assessments
Incident reports from past 12 months
Audit and compliance reports
Vendor contracts and SLAs
2. Technical Assessments (25% of assessment time)
Configuration reviews
Log analysis
Security tool evaluation
Network scanning results
Access control audits
3. Stakeholder Interviews (25% of assessment time)
IT operations teams
Application owners
Security analysts
Help desk staff
Business process owners
4. Hands-on Testing (20% of assessment time)
Incident response simulation
Backup recovery testing
Access control verification
Change management observation
Let me share a real example. In 2022, I assessed a manufacturing company's Detect function. The documentation showed they had:
A SIEM solution (check)
24/7 security monitoring (check)
Defined detection processes (check)
On paper, they looked strong—probably Tier 3. But when I interviewed the security analysts and reviewed actual alerts, I discovered:
The SIEM had 15,000+ untuned rules generating 8,000 alerts daily
Analysts had created email filters to automatically delete most alerts
They investigated maybe 20 alerts per day
They'd missed three actual incidents in the past year
Their real maturity? Tier 1—tools existed but weren't effectively used.
"Trust, but verify. Documentation shows intent. Evidence shows reality. Always look for both."
Phase 3: Category-by-Category Assessment (Weeks 7-10)
Now you systematically evaluate each NIST CSF category. Here's my assessment template for the Identify function as an example:
IDENTIFY FUNCTION ASSESSMENT
Category | Subcategory | Current Maturity | Evidence | Gaps Identified |
|---|---|---|---|---|
Asset Management (ID.AM) | ||||
ID.AM-1 | Physical devices and systems inventory | Level 2 - Managed | Asset management database with 90% coverage, updated quarterly | 10% asset gap, no automated discovery |
ID.AM-2 | Software platforms and applications inventory | Level 2 - Managed | Software asset list maintained, license tracking in place | Shadow IT applications not captured |
ID.AM-3 | Organizational communication and data flows mapped | Level 1 - Initial | Basic network diagrams exist, data flow maps incomplete | Missing application-to-application flows |
ID.AM-4 | External information systems cataloged | Level 2 - Managed | Vendor list maintained with criticality ratings | No security assessment for 40% of vendors |
ID.AM-5 | Resources prioritized by criticality | Level 2 - Managed | Business impact analysis completed for critical systems | Prioritization not updated in 18 months |
Business Environment (ID.BE) | ||||
ID.BE-1 | Organization's role in supply chain understood | Level 1 - Initial | High-level understanding exists | No formal supply chain risk assessment |
ID.BE-2 | Organization's place in critical infrastructure identified | Level 2 - Managed | Critical infrastructure designation documented | Limited sector coordination |
ID.BE-3 | Priorities for organizational missions established | Level 3 - Defined | Mission priorities clearly documented and communicated | Strong alignment across organization |
ID.BE-4 | Dependencies and critical functions identified | Level 2 - Managed | Business continuity plans identify dependencies | Technology dependencies not fully mapped |
ID.BE-5 | Resilience requirements established | Level 2 - Managed | RPO/RTO defined for critical systems | Recovery requirements for some systems missing |
I conduct this detailed analysis across all five functions. It's tedious, but this granularity is what makes the Current Profile valuable.
Phase 4: Implementation Tier Assessment (Week 11)
Beyond individual categories, you need to assess your overall organizational maturity using NIST's Implementation Tiers:
Tier | Risk Management | Integrated Risk Management | External Participation |
|---|---|---|---|
Tier 1: Partial | Risk management is informal, reactive, and irregular | Limited awareness, no organization-wide approach | No collaboration with external entities |
Tier 2: Risk Informed | Risk management practices approved but may not be established | Risk-informed policies, but not organization-wide | Organization knows its role but limited participation |
Tier 3: Repeatable | Organization-wide risk management policies | Consistent implementation, risk-informed approach | Organization collaborates and receives information |
Tier 4: Adaptive | Adaptive to changing threat landscape | Continuous improvement, lessons learned integrated | Active intelligence sharing and collaboration |
A retail company I worked with in 2023 had a fascinating Tier assessment:
Corporate security team: Tier 3 (Repeatable)
Individual stores: Tier 1 (Partial)
E-commerce division: Tier 2 (Risk Informed)
Distribution centers: Tier 2 (Risk Informed)
This revealed a critical insight: their security program was fragmented. The corporate team had sophisticated processes that weren't cascading to operational units. We focused their improvement efforts on standardization rather than adding new tools.
Phase 5: Documentation and Validation (Weeks 12-14)
Your Current Profile needs to be documented in a format that's both comprehensive and usable. I create three deliverables:
1. Executive Summary (2-3 pages)
For the board and C-suite, focusing on:
Overall maturity assessment
Critical gaps and risks
Business impact of current state
High-level recommendations
2. Detailed Current Profile Report (30-50 pages)
For security and IT leadership, including:
Complete category-by-category assessment
Evidence supporting each rating
Comparison to industry benchmarks
Detailed gap analysis
Prioritized findings
3. Visual Dashboard (1 page)
A heat map showing maturity across all categories:
Sample Current Profile Heat Map:
Function | Category | Maturity Level |
|---|---|---|
IDENTIFY | Asset Management | 🟨 Level 2 |
Business Environment | 🟨 Level 2 | |
Governance | 🟩 Level 3 | |
Risk Assessment | 🟨 Level 2 | |
Risk Management Strategy | 🟩 Level 3 | |
Supply Chain Risk Management | 🟧 Level 1 | |
PROTECT | Identity Management | 🟩 Level 3 |
Awareness and Training | 🟨 Level 2 | |
Data Security | 🟨 Level 2 | |
Information Protection | 🟨 Level 2 | |
Maintenance | 🟧 Level 1 | |
Protective Technology | 🟨 Level 2 | |
DETECT | Anomalies and Events | 🟧 Level 1 |
Security Continuous Monitoring | 🟨 Level 2 | |
Detection Processes | 🟧 Level 1 | |
RESPOND | Response Planning | 🟨 Level 2 |
Communications | 🟧 Level 1 | |
Analysis | 🟧 Level 1 | |
Mitigation | 🟨 Level 2 | |
Improvements | 🟧 Level 1 | |
RECOVER | Recovery Planning | 🟨 Level 2 |
Improvements | 🟧 Level 1 | |
Communications | 🟨 Level 2 |
🟩 Level 3-4 (Strong) | 🟨 Level 2 (Adequate) | 🟧 Level 1 (Weak) | 🟥 Level 0 (Absent)
Common Pitfalls I've Seen (And How to Avoid Them)
After conducting 60+ Current Profile assessments, I've seen these mistakes repeatedly:
Pitfall 1: The "We're Already Doing This" Trap
In 2021, I assessed a technology company whose CISO insisted they were "at least Tier 3 across the board." He pointed to their impressive tool stack:
Next-gen firewall
EDR on all endpoints
SIEM with threat intelligence
Vulnerability scanner
DLP solution
But when I dug deeper:
The firewall had default rules that hadn't been tuned in 3 years
EDR alerts went to an unmonitored mailbox
The SIEM had never triggered an actual investigation
Vulnerability scans ran monthly, but nobody reviewed results
DLP was in "monitor only" mode and never enforced
Having tools doesn't mean you're mature. Using them effectively does.
"Security maturity isn't measured by the tools you own—it's measured by the problems you've solved."
Pitfall 2: The Documentation Illusion
I call this the "policy theater" problem. Organizations create beautiful policies, get them approved, file them away, and never look at them again.
A healthcare company showed me their 87-page incident response plan. I asked when they'd last used it.
"We've never had an incident," they said proudly.
"When did you last test it?" I asked.
Silence.
We ran a tabletop exercise. Their plan fell apart in 15 minutes. It referenced people who'd left the company, tools they no longer used, and processes that didn't match reality.
Documentation gets you to Level 1. Regular execution gets you to Level 2. Continuous improvement gets you to Level 3.
Pitfall 3: The Optimism Bias
People naturally rate themselves higher than reality warrants. I combat this with objective evidence requirements:
Assessment Evidence Standards:
Claimed Level | Evidence Required |
|---|---|
Level 1 | Show me the process exists (document, tool, or demonstration) |
Level 2 | Show me you use it regularly (logs, tickets, or work products from past 90 days) |
Level 3 | Show me organization-wide consistency (evidence from multiple teams/locations) |
Level 4 | Show me continuous improvement (metrics trends, optimization examples, innovations) |
Pitfall 4: Assessing in Isolation
A manufacturing CISO did his Current Profile assessment without involving business units. His assessment showed strong capabilities in protecting corporate data.
What he missed: manufacturing floor systems had no security controls, industrial control systems weren't included in monitoring, and the supply chain systems were completely unassessed.
A ransomware attack six months later entered through the manufacturing network—the blind spot in his assessment.
Your Current Profile must cover the entire organization, not just the parts you're comfortable assessing.
Practical Tips from the Trenches
After 15 years of assessments, here are my hard-won lessons:
1. Start with Quick Wins
Don't try to assess everything at once. I use a phased approach:
Week 1-2: Assess Identify function (foundation for everything else) Week 3-4: Assess Protect function (usually where most investment is) Week 5-6: Assess Detect, Respond, Recover (often the weakest areas) Week 7-8: Consolidate and validate
2. Use Interviews to Find Truth
Documents lie. Interviews reveal reality. I always ask:
"Show me how you actually do this"
"When did you last use this process?"
"What breaks when you try to follow the documented procedure?"
"What workarounds have you created?"
The workarounds are gold—they reveal where your documented processes diverge from reality.
3. Benchmark Against Peers
Context matters. A Level 2 capability might be strong for a 50-person startup but weak for a regulated financial institution.
I maintain benchmark data from my assessments (anonymized, of course):
Average Maturity Levels by Industry (Based on 60+ Assessments)
Function | Technology | Healthcare | Financial | Manufacturing | Retail |
|---|---|---|---|---|---|
Identify | 2.4 | 2.2 | 2.6 | 2.1 | 1.9 |
Protect | 2.6 | 2.4 | 2.8 | 2.2 | 2.0 |
Detect | 1.8 | 1.6 | 2.2 | 1.4 | 1.5 |
Respond | 1.9 | 1.8 | 2.3 | 1.6 | 1.6 |
Recover | 2.0 | 2.1 | 2.4 | 1.8 | 1.7 |
This data helps organizations understand where they stand relative to peers and where industry weaknesses exist.
4. Be Brutally Honest
The Current Profile is not a marketing document. It's a diagnostic tool. Inflate your ratings, and you'll build an improvement plan that addresses the wrong problems.
I tell clients: "I'd rather you be embarrassed in this room today than compromised in the marketplace tomorrow."
A financial services company resisted rating their incident response below Level 2. "We have a plan," they insisted. "That's got to count for something."
I asked them to walk me through their last incident. They couldn't remember one. So we simulated a ransomware attack. Within 20 minutes:
Nobody could find the incident response plan
Three different people claimed to be "in charge"
Critical decision-makers weren't available
Communication broke down
Nobody knew how to reach the cyber insurance carrier
They rated themselves Level 0 after that exercise.
What Comes After the Current Profile?
The Current Profile isn't the destination—it's the starting point. Here's what happens next:
1. Develop Your Target Profile
Based on your Current Profile, you'll define where you need to be. This includes:
Business risk tolerance
Regulatory requirements
Customer expectations
Industry benchmarks
Budget constraints
2. Gap Analysis
Compare Current to Target to identify:
Critical gaps (high risk, low maturity)
Quick wins (easy improvements with high impact)
Long-term projects (significant effort required)
3. Roadmap Development
Create a prioritized plan to close gaps, typically over 12-36 months.
4. Executive Communication
Translate your Current Profile into business language. I use this framework:
Current State Communication Template:
Aspect | Status | Business Impact | Recommendation |
|---|---|---|---|
Customer Data Protection | 🟨 Adequate | Meets minimum requirements, but competitors may be stronger | Enhance encryption and access controls (6 months, $150K) |
Incident Detection | 🟧 Weak | May not discover breaches for weeks or months | Implement 24/7 monitoring (3 months, $300K) |
Response Capabilities | 🟧 Weak | Incidents will be chaotic and costly | Develop and test incident response plan (2 months, $50K) |
Recovery Planning | 🟨 Adequate | Can recover but may take days or weeks | Test and optimize recovery procedures (4 months, $100K) |
This translates security jargon into business decisions.
A Real Success Story
Let me close with a success story that illustrates why Current Profiles matter.
In 2022, I worked with a 200-person SaaS company preparing for their Series B funding round. They'd grown rapidly and knew security needed attention, but didn't know where to start.
We conducted a comprehensive Current Profile assessment. The results were sobering:
Overall Maturity: Tier 1.6 (Risk Informed, but barely)
Key findings:
Strong identity management (Level 3) but weak monitoring (Level 1)
Good documentation (Level 2) but little testing (Level 1)
Adequate technology (Level 2) but insufficient staffing (Level 1)
Business-aware leadership (Level 2) but siloed execution (Level 1)
We used the Current Profile to build a targeted 18-month roadmap focused on:
Standing up 24/7 security monitoring (addressed detect gap)
Implementing formal change management (addressed maintenance gap)
Conducting quarterly incident response drills (addressed response gap)
Establishing vendor security program (addressed supply chain gap)
The investment: $650,000 over 18 months.
The results:
Successfully closed Series B at a $120M valuation
Investors cited security maturity as a key factor
Landed three enterprise customers requiring SOC 2
Detected and stopped a ransomware attack within 4 minutes (would have been catastrophic 18 months earlier)
Reduced cyber insurance premium by 35%
The CEO told me: "The Current Profile gave us a roadmap out of chaos. We knew exactly what to fix and why it mattered. Best $45,000 we ever spent." (That was my assessment fee—worth every penny, in my biased opinion.)
Your Action Plan
Ready to develop your Current Profile? Here's your week-by-week plan:
Weeks 1-2: Prepare
[ ] Define scope and objectives
[ ] Assemble assessment team
[ ] Gather existing documentation
[ ] Schedule stakeholder interviews
Weeks 3-6: Collect Data
[ ] Review all security documentation
[ ] Conduct technical assessments
[ ] Interview key stakeholders
[ ] Perform hands-on testing
Weeks 7-10: Assess
[ ] Rate each NIST CSF subcategory
[ ] Document evidence for each rating
[ ] Identify gaps and risks
[ ] Determine Implementation Tier
Weeks 11-12: Document
[ ] Create executive summary
[ ] Write detailed assessment report
[ ] Develop visual dashboards
[ ] Prepare presentation materials
Weeks 13-14: Validate and Present
[ ] Review findings with assessment team
[ ] Validate ratings with evidence
[ ] Present to leadership
[ ] Plan next steps
The Truth About Current Profiles
Here's what I've learned after 15 years: The Current Profile process is more valuable than the Current Profile document.
The process forces conversations that don't otherwise happen. It breaks down silos. It creates shared understanding. It reveals assumptions and blind spots. It builds consensus around priorities.
I've seen organizations transform not because they produced a perfect assessment, but because the assessment process aligned their teams around a common understanding of reality.
"The Current Profile is a mirror. It doesn't change what you are—it reveals what you've always been. What you do with that reflection determines everything."
Don't fear what you might discover. Fear what you might miss by never looking.
Start your Current Profile assessment today. Future you—and your stakeholders—will thank you.