Why a traditional security maturity approach falls short and what does work

In many organizations, information security is still treated as a check-box exercise. The 'security maturity' is 'measured' on the basis of all kinds of abstract models, filled with general terms, woolly language and a patchwork of spreadsheets. CISOs, CIOs and CTOs are therefore left with reports full of open doors, but without direction.

What is missing? Concrete tools, real insights and an approach that is in line with how organizations really work today. In this blog, Patrick van Bemmelen, security consultant at Wortell, shares his experience: why the traditional approach does not always work well anymore and what he sees in practice at different organizations. 

What do I see in practice? Paper maturity, but little guidance

I see the same pattern in various organizations, from healthcare institutions to public implementing organizations and internationally operating companies. They have ISMS documentation in order, policies are neat and tidy and a CMM or ISO 27001 audit was once done. Yet they struggle with questions such as:

• "What risks are there really?"
• "How do I show that we are improving?"
• "Where should I invest for maximum impact?"

The problem? Most maturity models get stuck in levels of abstraction such as "repeatable" or "defined". They say something about processes on paper, but little about how resilient your organization actually is. And certainly not how to increase that resilience.

Why should it be different? Control, not status

Today's security requires more than statuses and scores. It requires guidance. What I wish for organizations is an approach that goes beyond observation. That:

• Focused on improvement, not just assessment.
• Create support and direction , not just tick off compliance.
• Fits in with the organizational context, not with a generic model.

That is why we have developed a very practical Security Maturity Scan . Not as an audit, but as a practicing and learning instrument.

How do we do it? Concrete, applicable and in context

Our scan always starts from the practice of the organization: the type of service, the risks in the chain, the maturity level of governance and the IT organization. No checklists, but:

• Clear maturity scores per domain (such as governance, risk and incident response)
• Concrete overview of gaps and risks, including quick wins
• Advice that you can use immediately as a CISO, CIO or CTO
• A roadmap that helps you guide investments and policies

For example: at a public organization, processes for incident response turned out to be on paper, but no one knew who should do what in the event of an actual attack. After our analysis, they defined clear responsibilities, simulated incidents and trained the team. In three months they were demonstrably more resilient!
 

What I often see go wrong? Models without a story

The biggest pitfall of traditional maturity assessments? They measure maturity without the why and how. 'You score a '3' on risk management.' Fine, but what does that mean for your cloud transition, customers or suppliers? What should you prioritize if you have limited capacity? What do you tell your board?

What we notice: as soon as you sit down with boards and show where the risks are really accumulating and how they can manage them, the conversation changes. Then it is no longer about "will we pass the audit?", but about: "How do we ensure that we remain agile and safe as an organization?"
 

Finally, maturity is not an end in itself, but a means to resilience

As a CISO, CIO or CTO, you are faced with a complex task. You want to demonstrate that you have a grip on information security, that risks are under control and that you are aiming for continuous improvement. Our Security Maturity Scan will help you with that! Not with abstract models, but with insights and action perspectives.