About the 5 Levels of Results

InfoSec initiatives aim at one of 5 different levels. If the project hits turbulence during implementation or if results disappoint, it is often because planning focused on goals at a level lower than outcomes expected by executive sponsors or business stakeholders.

SecuriThink specializes in pragmatic right-sizing — so plans match expectations. We are in a unique position to add value when your organization is committed to results at level 3, 4 or 5. To avoid rework, apply the SecuriThink methodology from the outset; the smoothest transition starts with the end in mind.

Quality achieved at each level determines what is possible at the next level. More attention to business change is essential to opening the higher Return On Investment (ROI) of each level up the sequence. The results business stakeholders usually expect at level 3+ require significant attention to business transformation. Only in the movies can you “build it and they will come”.

We engage and manage factors too often thought to be outside the authority of a project. Aiming for level 4 or 5 unlocks higher order business results described in the links below.

We engage and manage factors too often thought to be outside the authority of a project. Aiming for level 4 or 5 unlocks higher order business results described in the links below.

Industry Buzz about Level 4 Results
  • “Security must be viewed as a ‘people problem’: Strong security is not just about tools; it is about people being educated about the importance of security in all aspects of their everyday life. Well-educated users will make good decisions about security and be more likely to be proactive and ask questions if they sense there is a security compromise.”1

  • “In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief executive to the newest hire, and not just personnel with “security” in their title or job description. Everyone should be accountable, and learn how not to be a victim.”2

  • “Cyber-risk management is an enterprise concern, not simply a technology issue. However, even organizations that accept this notion can struggle to embrace sound enterprise risk management practices unless senior management takes ownership of this issue, and the board provides necessary oversight.”1

  • “Organizations ready to increase cybersecurity capabilities can…drive a more risk aware culture across the entire organization…use collaboration both internally and externally to manage threats and secure the organization’s most valuable digital assets. Enforce security standards across both the IT Infrastructure and business processes.”3

  • “Make people your first line of defense.”4

  • “Those of us in the security industry know that an organization’s best defense against internal and external breaches is not technology alone. It is the culture of security within an organization – a mindset on the part of every individual so that actions in support of information security become automatic and intuitive.” 5

  • “People matter, perhaps even more than technology… Stopping the threat at the front door requires companies to foster a culture of security consciousness…And this isn’t a task for the IT department.
    Only the active involvement of top management can change the corporate culture and turn the pursuit of cybersecurity culture into more than a slogan. It’s up to management to reinforce the message that cybersecurity is a business objective.”6


  • “Culture eats strategy for breakfast.” Peter Drucker


  1. Cisco security manifesto principle 5. Cisco Annual Security Report 2015.
  2. Cyber Resiliency in the Fourth Industrial Revolution. 2016. Hewlett Packard Enterprise, FireEye, Marsh & McLennan
  3. Securing the C-suite: Cybersecurity perspectives from the boardroom and C-suite. IBM Global Business Services. 2016
  4. 2016 Verizon Breach Investigations Report Executive Summary
  5. Adel Melek. Protecting what matters: The 6th Annual Global Security Survey. Deloitte. 2009.
  6. Charles Cooper. Where cybersecurity & workplace culture intersect. AT&T insights CSO online. 2016
Industry Buzz about Level 5 Results
  • “Cyber resilience must reside in the organization’s DNA, so it becomes an organizational imperative to protect and enable digital interactions.”1

  • “Almost more than any other risk a company faces, are the myriad of stakeholders involved in building cyber resilience. The board of directors. Multiple members of the senior management team, including the CEO, CFO, general counsel, CIO, head of HR, and chief information security officer (CISO). Your employees. Your vendors. The role of the board and each member of senior management, in particular, should be clearly articulated in order to enhance your organization’s agility to respond to a dynamic threat and avoid conflict.”1

  • “In our increasingly interconnected world, the Internet of Everything is making trust a critical element of how people use network-connected devices to work, play, live, and learn. The relentless rise in information security breaches underscores the deep need for enterprises to trust that their systems, data, business partners, customers, and citizens are safe.” – John N. Stewart, SVP and Chief Security and Trust Officer, Cisco2

  • “We need to ask ‘what’s next?’ and be proactive, not just react to what’s already happened. And we need to do this whether we’re considering the short- or longer-term future.” Jyrki Mäki-Kala, CFO, Neste Oil, Finland3
  1. Cyber Resiliency in the Fourth Industrial Revolution. 2016. Hewlett Packard Enterprise, FireEye, Marsh & McLennan
  2. Blogs.Cisco.com Trust and Transparency. Anthony Grieco. June 3, 2015
  3. Redefining Boundaries: Insights from the Global C-suite study. IBM Institute for Business Value. 2016.
About Time and Schedule

Note that time is not shown in the diagram. Levels of results depend more on the quality of previous achievements. Level 3+ results are not readily bolted on after an implementation that has not created a sufficient basis for business change.

The easiest path to level 3+ results is paying attention to business transformation from the very beginning and build it in throughout the project. There can still be phases to the project as long as sufficient business transformation is built into each phase.