How We Know What Done Looks Like

Executive Summary

While cybersecurity standards and best practices advise what to do, they rarely define how much to do. It is critical to understand that cyber risk can never be eliminated and, at a certain point, there are diminishing returns on investment. Setting the goal for what is “good enough” is both a business decision and a judgement call by experienced security practitioners.

Our cybersecurity maturity journey is the story of “how we know what done looks like”. The SecuriThink team has already made the journey so we can show you the way.

The beginning is a very good place to start

As illustrated above, the continuum of “how much to do” can be described with a 5-point scale.

Research from the Department of Defense, KPMG, Accenture, WSJ Pro Research, and others supports the experience of the SecuriThink team that most organizations are in the Initial phase of this scale.

That is where SecuriThink began as well. Our first cybersecurity project in 2012 was to support the Chief Information Security Officer (CISO) of a Fortune 500 specialty vehicle manufacturer in a multi-year, multi-million-dollar initiative to move the entire enterprise from 1.9 on this scale to a 3.

The company had four main business units, only one of which was focused on Defense customers. New contract requirements from the U.S. Department of Defense (DoD) had forced some cybersecurity protections to be put in place but then the Board of Directors wanted those same standards to apply to the 3 commercial business units.

For this to succeed, the CISO needed to engage the senior leaders in every one of the businesses; they also needed to reassure the Board they were executing their mission. Senior stakeholder alignment was a strong theme from the beginning until the end.

The right goal

While the DoD had set the standard for the first contracts, it was up to the CISO to advise the Board on where to set the bar for the commercial segments. The first goal they picked was 3 on the maturity scale.

Three on this scale is a pragmatic initial goal for overall business risk reduction which simultaneously meets such needs as satisfying the requirements currently in many customer contracts, satisfying regulations and demonstrating sound practices to satisfy cyber insurance policy underwriters.  This level of maturity includes just enough policies and procedures to support repeatable processes as well as fundamental technical controls such as foundational backups which are hardened to basic attack vectors.

Reaching higher for the right reason – and knowing when to stop

Once our client achieved the goal of 3 on the scale, their Board of Directors saw an opportunity to use cybersecurity as a market differentiator. They set a new goal of 3.5.

A few years later the Board moved the bar to 4.0. Ultimately, the organization achieved a maturity of just over a 4 and made a business decision to focus on sustaining that level because going higher brought diminishing returns.

Sustaining – don’t lose hard won gains

Sustaining at level 4 is, by itself, not a goal to be taken for granted.

Sustaining a higher level of maturity requires discipline. Just like the car doesn’t stay washed, the lawn doesn’t stay mowed, and our hair doesn’t stay trimmed, the basic configurations and hygiene practices that are the foundation of security rapidly deteriorate if they’re not tended.

It takes a whole new level of engaging team members to maintain a goal once it’s achieved.

Celebrating the wins

As we had the privilege of serving this client for over 10 years, we were on this maturity journey with them every step of the way. We got to celebrate as they consistently achieved a “superior” rating every year from the DoD Defense Contract Management Agency (DCMA) starting in 2014 and then won highly competitive awards from that agency in 2016 and again in 2019. The ultimate test was achieving a perfect score on a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Confidence assessment in 2022 along with assessor comments that their approach should be considered “industry best practices.”

The CISO had taken the security practice from a greenfield, and built an infrastructure which was rated in the top 10% for maturity worldwide.

This is the CMMC journey

Companies in the Defense Industrial Base (DIB) who are confronting the current contract requirements from the DoD and are anticipating the introduction of the Cybersecurity Maturity Model Certification (CMMC) with its third-party audit requirement will recognize this journey as the one that is ahead.

This is THE cybersecurity journey

Cyber risk has ranked in the top 3 business risks globally every year since 20171. This affects all industries and companies of all sizes. The data shows there’s no such thing as “too small to be attacked”.

Research from many sources says over half of companies have poor cybersecurity – they’re closer to 1.9 on the scale than they are to 3.

Our client had the advantage of many years to accomplish this standard and also had the support of the Board. Many are trying to decide if it’s worth the investment but meanwhile they’re burning daylight without preparing for an inevitable attack – or inevitable customer requirements and regulations, whichever comes first.

What does this mean for you and your organization?

The SecuriThink team has already made the journey so we can show you the way.

Our client of 10 years, Mike Warner, is now collaborating with us, both as an executive advisor to our clients and in bringing to market field-tested cybersecurity solutions based on many of the obstacles we’ve conquered and the wins we achieved together.

One of the first things Mike ever said to us in 2012 was “I don’t want to build a $10 fence around a $5 horse.” What a great way to describe what we had for decades been calling hyper-practical solutions and pragmatic right-sizing.

How we know what done looks like

Because we’ve achieved and sustained a maturity of over 4 on the scale, we can lead from experience much further along this journey than those who have only seen 3 or 3.5 themselves.

This is why and how “we know what done looks like”.

Let us make getting there easier for you.


Allianz Risk Barometer: Identifying the Major Business Risks for 2024.



More About Us

About Mike Warner

About Mike Warner

As Vice President and CISO at Oshkosh Corporation for 12 years, Mike engineered, evolved, and sustained the award-winning cybersecurity program for this specialty vehicle innovator and Fortune 500 critical infrastructure enterprise which has $8 Billion in revenue, 150 global locations, and 15,000 team members.

At SecuriThink we value Mike’s extraordinary ability to switch between strategic vision and pragmatic implementation, a talent captured in one of the first things he ever said to us: “I don’t want to build a $10 fence around a $5 horse.”

read more
Meet our founder

Meet our founder

Clients praise deep insight, flexible strategy, tact and skill in working from front line employees to the C-suite, while smoothing the way for new habits that mean real change for an organization and its culture.

read more
Our approach

Our approach

SecuriThink is a team delivery. We include supporting skills to be as efficient as possible with your schedule and budget.

read more
Why SecuriThink?

Why SecuriThink?

Why SecuriThink? Field-tested SecuriThink Field-Tested Cybersecurity Solutions evolved from client projects Benefit from industry lessons learned Proactively address situations that became problems for your peers Our clients describe our track record better than we...

read more