Fig 7.4

Security Governance Maturity Assessment Without the Guesswork

So many words! Wouldn’t you rather just watch this on YouTube?

Most organizations can’t answer a simple question: how mature is your security governance? Not with a guess, not with a feeling, but with a number. The Security Governance Maturity Assessment from Chapter 7 of Cyber Risk is a Myth fixes that.

It’s a 24-question diagnostic tool that rates your organization across four dimensions, produces a quantified score, and forces you to pick three things to fix first. No buzzwords, no compliance theater. Just a score and a plan.

Looking for the templates?

This makes a lot more sense when you look at the templates in Word | Markdown | Proton Docs. Have a strange need to give me your email address? Well, I do write a newsletter where you’ll get more of these without advertising.

When Should You Use the Security Governance Maturity Assessment?

The obvious trigger is an annual security program review, and if you’re already doing one, this assessment slots in cleanly. You rate the 24 criteria, calculate the score, compare it to last year’s number, and see whether you’re moving in the right direction.

But the less obvious triggers are where this tool earns its keep.

Rapid Growth or Expansion

Consider a company that’s grown fast. Revenue’s up, headcount’s up, new product lines, new facilities, new markets. The operations side scaled, but the governance side probably didn’t, because nobody builds governance during growth spurts. They build it after something goes wrong, or they’re forced to by a market regulator or a contract. Running this assessment after a period of rapid expansion tells you exactly how far behind you’ve fallen, and in which specific areas.

Ask yourself if any of these happened lately:

  • Revenue increased significantly
  • Headcount doubled or tripled
  • New product lines added
  • New facilities opened
  • New markets entered

Each of these triggers creates governance debt that this assessment exposes.

Post-Acquisition Due Diligence

Think about post-acquisition scenarios. You bought a company, you integrated their systems, but do you know what their governance maturity looked like before the deal closed? If the answer is no, you’re operating blind on inherited risk. The Marriott case study from Chapter 7 is a perfect example. Marriott’s board didn’t know about the malware infection in Starwood’s systems when they closed the acquisition. Had someone run a governance assessment on Starwood’s security practices during due diligence, the gaps would have been obvious.

Regulatory Deadlines and Compliance Requirements

Here’s another one: regulatory deadlines. If your industry is facing new compliance requirements, whether that’s more NYDFS updates, international data protection laws, or whatever your state is doing about AI, you need to know where you stand before the regulator asks. Walking into a compliance conversation with a documented maturity score and an improvement roadmap is very different from walking in with “hey, we think we’re doing okay.”

Leadership Transitions

And then there’s the scenario nobody wants to talk about: a leadership change. New CISO, new CIO, new CEO. The incoming leader needs a baseline, and “I think we’re at Stage Three” isn’t a baseline. A completed assessment with 24 rated criteria and written justifications is something a new leader can understand on day one.

Why This Assessment Matters for Security Governance

Here’s the problem with security governance: it’s invisible when it’s working. Nobody celebrates the absence of a breach caused by good decision authority. Nobody throws a party because a RACI matrix prevented a misaligned investment. Governance is a preventive discipline, and preventive disciplines are chronically underfunded because their success looks like nothing happened.

The Security Governance Maturity Assessment solves this by making governance measurable. It converts “I think we have decent governance” into “we scored 1.21 out of 4, and here are the three criteria dragging us down.” That number does work for you. It makes the argument for budget, for headcount, for time on the executive agenda.

Proportional Maturity, Not Maximum Maturity

Chapter 7 of “Cyber Risk is a Myth” makes another point that’s worth repeating: you don’t need to reach the Optimal stage. A 42-person manufacturer doesn’t need the same governance as a Fortune 500 hotel chain. The chapter explicitly says to target the maturity level suited to your size, industry, and risk profile. That’s not a cop-out; it’s proportionality. Governance that’s disproportionate to the organization creates bureaucracy without value.

But here’s the catch. You can’t pick a target if you don’t know your starting position, and most organizations don’t. They’re guessing. They assume that because they have a firewall and an antivirus renewal schedule, they’re at Stage Two or Three. The assessment replaces assumptions with evidence.

Three Priorities, Not Twelve

The assessment also solves a second problem: prioritization. Security governance has a lot of moving parts: policies, committees, reporting relationships, decision authority, risk appetite, feedback mechanisms. Trying to fix everything at once guarantees you’ll fix nothing well. The assessment forces you to identify three lowest-scoring criteria and build focused plans around them. Three priorities, not twelve, not a “strategic initiative,” or a reason to form a committee. Three things, with timelines, named owners, and success metrics.

Perception Gaps Are Findings

The collaborative angle matters too. The assessment instructions recommend having multiple people complete it independently and then comparing results. This isn’t a group hug exercise; it’s a diagnostic technique. If the IT contractor rates governance a 3 and the business owner rates it a 1, that gap IS a finding. Perception differences between security and business roles are themselves indicators of governance immaturity.

A Look at the Completed Example

youtube placeholder image

This’ll make way more sense if you have the template in Word | Markdown | Proton Docs

To see how this works in practice, imagine a fictional company. Precision Components, LLC, with 42 employees, $8.5 million in annual revenue, based in Plano, Texas. They manufacture CNC-machined metal parts. They’ve grown steadily since 2020, added a surface treatment line, achieved ISO 9001, and are exploring export markets. Their security governance has not kept pace with their operational growth.

Running the assessment produces the following ratings across all four sections. Each entry captures the rating and a brief justification grounded in the company’s actual situation.

Chapter 7 Security Governance Maturity Assessment Demo

Section 1 subtotal: 8 points.

Sections 2, 3, and 4 follow the same pattern, with most criteria scoring 1 and a few scoring 2.

The final calculation looks like this:

Total Score: 29
Overall Maturity Score: 1.21
Stage: Initial / Ad Hoc

A score of 1.21. That’s barely above their shop floor. The assessment then identifies three improvement priorities. Here’s the first:

Chapter 7 Security Governance Maturity Assessment Demo

The second priority targets the risk appetite statement:

Chapter 7 Security Governance Maturity Assessment Demo

The third priority addresses security in strategic planning:

Chapter 7 Security Governance Maturity Assessment Demo

Finally, the quarterly roadmap ties it all together:

Chapter 7 Security Governance Maturity Assessment Demo

Four weeks for the RACI matrix. Six weeks for the risk appetite statement. Eight weeks for the capex checkpoint. Twelve months to the reassessment. That’s a plan, not a wishlist.

Frequently Asked Questions

What is the Security Governance Maturity Assessment?

It’s a diagnostic tool from Chapter 7 of “Cyber Risk is a Myth” by Kayne McGladrey. The assessment rates 24 criteria across four dimensions: Decision Authority and Accountability, Governance Structures, Integration with Business, and Processes and Operations. Each criterion gets a 1-4 rating, and the total divided by 24 produces an overall maturity score that places the organization in one of four stages: Initial/Ad Hoc, Traditional, Advanced, or Optimal.

How do you calculate the overall maturity score?

Rate all 24 criteria on a 1-4 scale, sum the ratings, and divide by 24. A score of 1.0 to 1.9 places you in the Initial/Ad Hoc stage, while a 2.0 to 2.9 puts you in Traditional. A 3.0 to 3.9 is Advanced, and a 4.0 is Optimal. The math is intentionally simple so the focus stays on interpretation and action, not calculation.

Should every organization aim for the Optimal stage?

No. The chapter explicitly states that organizations should target the maturity level suited to their size, industry, and risk profile. A small manufacturer doesn’t need the same governance structures as a publicly traded multinational. The goal is to move deliberately from your current stage to an appropriate target, not to chase the highest score. Governance that’s disproportionate to the organization creates bureaucracy without value.

What happens after you complete the assessment?

You identify the three lowest-scoring criteria as improvement priorities. For each one, you document the current state, a realistic 12-month target, the people needed, specific actions, a timeline, and success metrics. Then you build a quarterly roadmap and schedule a reassessment in 12 months. The reassessment is what closes the loop: if your score went up, you’re making progress, and if it didn’t, you know where to dig in.

Who should complete the assessment?

Ideally, have multiple people complete it independently and then compare the results. If the IT lead rates governance a 3 and the business owner rates it a 1, that gap is itself a finding. Perception differences between security and business roles indicate governance immaturity. The comparison exercise surfaces those differences and forces a conversation about why they exist.

How long does it take to complete the assessment?

The rating exercise itself takes about 30 to 45 minutes if you know your organization’s governance practices. The improvement planning section takes longer, maybe an hour or two, because you’re committing to specific actions, timelines, and success metrics. The real time investment is in executing the plan, not filling out the form.

Can this assessment be used for compliance reporting?

Maybe, but that’s not its primary purpose. The assessment is designed to drive improvement, not to satisfy an auditor. That said, a documented maturity score with dated justifications and an improvement roadmap is strong evidence of governance activity. If a regulator asks how your board oversees cybersecurity risks, handing them a completed assessment is a far better answer than “we have regular discussions about that.”

Attribution

This resource and the accompanying training are derived from the work of Kayne McGladrey, author of “Cyber Risk is a Myth” (published 2026). The book is available at https://www.routledge.com/Cyber-Risk-is-a-Myth-A-Business-Approach-to-Integrated-Risk-Management/McGladrey/p/book/9781041249054, as well as other book stores and libraries. The fictional company scenarios used in the examples are for illustrative purposes only and do not represent real organizations.

Similar Posts