Skip to Content

Reach the right security maturity level by creating a culture of continuous improvement

Henk de Ruiter
August 17, 2020

How to prioritize when security is a priority

In a post COVID world, when everyone is accessing their corporate networks from home, security matters have become the topmost concern of organizations. While there are corporate governance laws to mitigate risk and ensure compliance, more and more businesses are looking for a guarantee that their vendors and partners will safeguard information assets from security risks to ensure business continuity. There are lots of established practices to help organizations assess their security risks, implement security controls, and comply with privacy and information security regulations. But that is not enough!

I am not here to talk of these oft-quoted practices or frameworks, but rather to address the growing need to embed a culture of taking the crucial steps in the journey of your security maturity improvement without waiting for an overhaul of your security system overnight.

Start without wasting time in deliberation

When it comes to managing organizational security performance, an incremental improvement, rather than a big bang of ambitious change, always yields better outcomes. In a risk-based approach, you can only take decisions on the basis of what your immediate business risk needs you to do and what you are capable of doing at that moment. Some organizations have a big security gap that cannot be closed in one go. I advise such clients to NOT waste time trying to grasp totally where you are NOW (IST), but rather to focus on what to DO NOW. It is still acceptable if you do not know the optimal end result to strive toward, while also knowing at the same time that it will keep changing with time. Rather it is a smart move at least to start NOW once you know the direction of improvement.

Every iteration is a realized improvement

So it is important that you also understand that you will never be fully there in terms of an absolute security maturity.  During the time you are making updates to improve your current security maturity level, there will be newer risks resulting from changes in your own organization, by updated policies defined by regulators and/or by market happenings which will demand newer fixes to your systems. Over time, as your processes improve, every iterative security risk assessment will result in a smaller gap between the IST and SOLL.

I want to draw a bridge from risk assessment toward resilience, stressing on it as a continuous activity, embedded in the culture of organizations. In the beginning, clients may need consultation to help them decide and take actions to close the gap shown in their security risk assessment, but going forward as they gain better insights into the process, they can aspire toward a position of maturity, where they can take their own security-related decisions more easily. Eventually, they are in better control of their security services, and able to reap the benefits of outsourcing parts by externally managed security services.

So start by identifying the security maturity framework of choice, determine how mature your current security risk maturity is, define what your right level of maturity is you want to reach, what are the current market demands, what regulatory demands are valid for you, what is the timescale for you to reach your final aspirational level. Factor all these in, while you measure the gap from your current (IST) state to your aspirational state of maturity (SOLL) and define your (initial) actions in your security backlog. Plan your security risk analysis on improvement iterations performed according to your security backlog – with every iteration, close some of this gap to reach a more secure state. You cannot do all at the same time, but you can celebrate small successes and reach the right security maturity level by creating a culture of continuous improvement.


Continuously checking an organization’s security maturity is just the beginning of building more mature security management. Businesses need to go beyond continuous monitoring to really be effective — there needs to be a process of continuous improvement. I can go on and on about the benefits of the journey, but it is up to you to embed this culture into the DNA of your enterprise.

About the author

Trusted Advisor Cybersecurity / Principal Consultant | Netherlands
Henk is a Trusted Advisor Cybersecurity with extensive experience in large Business/IT projects. He has advised/managed the development and implementation of business-critical software programs, with a focus on Governance, Risk, Compliance (GRC), Privacy (GDPR), realizing Security Compliance Assurance and managing TRUST!


    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Slide to submit