Domain goals

A domain goal sets a maturity target for one of the twelve CAMP domains as a whole, for example raising your Cloud Security posture or strengthening Identity and Access Management. It is the level most security leaders use to brief executives, because it maps cleanly to how budgets and teams are organized.

Each domain has its own score, calculated with the Org Score formula applied to the capabilities in that domain. That means a domain score is a criticality-weighted average of capability maturity, on a 0 to 100 scale. Moving the domain goal forward is really about moving the capabilities underneath it, weighted by how critical each one is.

This weighting changes where you should push. Raising a criticality 3 capability inside a domain lifts the domain score more than raising a criticality 1 capability by the same amount. So a domain goal is best read as a target for the weighted whole, then translated into specific capability goals that earn their place.

• Pick the domains where current maturity is furthest from target and criticality is highest. Those carry the most priority.

• Avoid spreading thin across all twelve domains at once. Concentrated improvement in a few moves scores faster than small gains everywhere.

• Use domain goals for the narrative; use capability goals for the work.

A peer delta in a domain is a performance difference against a privacy-preserving cohort average, not a gap. Decide your domain goal from your own targets and criticality first, then use the cohort view as context, not as the goal itself.

When the targets are set, check the effect in timeline and projections.