Skip to content
Cybersecurity Maturity Assessment

Measure program maturity — then operate the gap closed.

Valentra Labs assesses cybersecurity program maturity against NIST CSF 2.0 and runs the remediation work as an operating program, so the score moves between assessments.

The problem

A maturity score you cannot move is just a number.

A maturity score on a slide tells you where you stand once. Without an operating program behind it, the gaps it names are still open at the next assessment.

The score is the easy part. Closing the gap is the program.

  • 01 / 03 A maturity assessment tells you where you stand once, on a slide.
  • 02 / 03 Without a program behind it, the gaps it names are still open at the next assessment.
  • 03 / 03 The score does not move, because nothing operates the work to move it.

Insight

Insight
A maturity score is a starting line, not a finish.

The Valentra operating principle

The Valentra approach

The Valentra approach: assess, then operate the gap closed.

Valentra Labs grades maturity against NIST CSF 2.0, then operates the gap-closing work on Valentra Nexus — each remediation tied to a control, its evidence, and a board-ready Decision Packet.

  • Valentra Labs grades program maturity against NIST CSF 2.0.
  • Each gap becomes remediation work on Valentra Nexus, tied to a control and its evidence.
  • Progress is tracked against the target profile between assessments.
  • A board-ready Decision Packet shows the score moving, not just the score.
Outcome

What leadership gets a score that moves between assessments

  • 01 / 03 A maturity grade against NIST CSF 2.0 you can trust.
  • 02 / 03 Remediation operated, not just recommended.
  • 03 / 03 A Decision Packet that shows measurable progress.
Consequence

What an assessment-only score costs

  • Static maturity

    The next assessment finds the same gaps the last one named.

  • Shelved reports

    The findings live in a slide deck no one operates from.

  • Unclear priorities

    Without a program, every gap looks equally urgent and none gets closed.

  • No proof of progress

    Leadership cannot show the board the score is improving.

Impact

The first thirty days

  1. Days 1–10 Grade
    • Program maturity is assessed against NIST CSF 2.0.
    • Gaps are ranked by risk and effort.
  2. Days 11–20 Operate
    • Priority gaps become tracked remediation on Valentra Nexus.
    • Each item ties to a control and the evidence that closes it.
  3. Days 21–30 Report
    • The Decision Packet shows the target profile and progress toward it.
    • Leadership sees the score beginning to move.

Built for the committee that owns the decision

The board-ready Decision Packet this produces

Every Valentra Labs program produces the same artifact: a board-ready Decision Packet carrying the situation, options, recommendation, evidence, and approval chain — generated by Valentra Nexus.

Decision Packet · v1.0

Q2 2026 — Crown-Jewel Risk Disposition

pkt_2026-04-17_a3f8e1

Situation

Q2 program review covers the crown-jewel ePHI store and its supporting control envelope. 487 endpoints catalogued across three network segments; 12 unsanctioned SaaS surfaces detected by the shadow-IT scan. Continuous monitoring posture is operating; the residual question is risk acceptance for two compensating-control gaps surfaced this cycle.

Risk & Impact

14 critical findings scored against the revenue-at-risk model. Two compensating gaps (vendor-SOC-2 attestation lapse + patch-cycle #38 awaiting CAB sign-off) carry residual risk of $1.4M in unmitigated regulatory exposure if a HITRUST audit lands before remediation closes. Patient-data confidentiality remains the load-bearing impact dimension.

Options

  1. Accept residual risk through Q3, with quarterly board re-review.
  2. Accelerate remediation by re-prioritizing the patch cycle ahead of the planned Q3 platform migration (cost: 2 engineer-weeks).
  3. Transfer risk via expanded cyber-insurance rider (cost: $48K/yr premium delta; coverage gap on ePHI exfiltration remains).

Recommendation

Pursue Option 2 — accelerate remediation. The 2 engineer-weeks of effort cost is recoverable in Q3; the residual exposure is asymmetric (regulatory floor of $1.4M vs. ~$120K labor delta). Document the patch-cycle re-prioritization as a logged decision with the program owner; close the SOC-2 attestation gap via vendor outreach in the same window. Insurance rider deferred to Q4 review.

Evidence

Twelve evidence artifacts back the recommendation — asset inventory, control mapping, vendor SOC-2 status, residual-risk model, patch-cycle telemetry, and the prior packet's audit trail. One control attestation is overridden with a documented compensating-control narrative; two vendor attestations are pending the Q2 refresh window.
ArtifactHashStatusDetailCaptured
Asset inventory snapshot — 487 endpoints#a3f8e1b2verified
Control mapping cross-walk — 93 controls#b7c4d9e0verified
Vendor SOC-2 attestation — current#c9d0e2f1pendingRefresh window opens 2026-05-12; vendor confirmed window…
Vendor SOC-2 attestation — secondary processor#d2e3f4a5pending
Residual-risk model — revenue-at-risk#e1f2a3b4verified
Patch cycle #38 — CAB queue position#f3a4b5c6overridden
Overridden per compensating-control narrative — see attached
Penetration test report — Q1 follow-up#a5b6c7d8stale
Prior packet audit trail — pkt_2026-01-09_b8c4e2#b6c7d8e9verified

Approval Chain

CIO and CISO have signed. The CCO signature is pending receipt of the vendor-SOC-2 refresh; the program owner has logged the override and the compensating-control narrative.
  1. Chief Information OfficerM. AlvarezSigned 2026-04-17T14:08:11Z
  2. Chief Information Security OfficerJ. ParkSigned 2026-04-17T14:18:42Z
  3. Chief Compliance OfficerPending signatureAwaiting vendor SOC-2 refresh — window opens 2026-05-12
Generated by Valentra Nexuspkt_2026-04-17_a3f8e1
FAQ

The questions we hear most.

Which maturity model do you use?

Valentra Labs assesses program maturity against NIST CSF 2.0, grading across its functions and recording each gap against a control.

Is this only an assessment?

No. The assessment is the starting point; Valentra Labs then operates the remediation work on Valentra Nexus so the score moves between assessments.

How do you show the score is improving?

Progress is tracked against the target profile and summarized in a board-ready Decision Packet, so improvement is visible rather than asserted.

How soon does the score move?

Remediation begins in the first month, and progress against the target profile is reported from the first Decision Packet onward.

Valentra Labs assesses cybersecurity program maturity against NIST CSF 2.0, then operates the gap-closing work on Valentra Nexus — each remediation tied to a control, its evidence, and a board-ready Decision Packet — so the score moves between assessments.

as of NIST CSF 2.0