In my 10 years as the CISO for the largest information enterprise in the world, the U.S. Department of Defense, we realized after numerous cyber incidents that leadership commitment was severely lacking and that victim organizations did not possess the tools, processes, staff, or mindset necessary to detect and respond to advanced intruders. Accordingly, we developed the Cyber Security Maturity Model to create a long term strategic commitment and an ability to measure tactical performance while institutionalizing a risk management culture.