Reporting information security risk to the business is an effective way to gain buy-in from leadership and helps with informed decision-making and prioritization. The challenge is finding a repeatable methodology for visualizing information security maturity in an easy to consume, measured, and defendable manner. At Enterprise Holdings, Inc. (EHI), Kevin McQuade was tasked with building their maturity scoring system. The result? A visual representation of capability prioritization built from a comprehensive task list of defined functional categories with calculated scores that were determined with maturity indexes using a fact-based, non-emotional manner. In this session available to Core Members only, Kevin walks through EHI’s approach to building this capability and shares key insights, methodology, and their ongoing effort to create a transparent maturity scoring system.

Key Takeaways:

  • Identifying the tasks and functions within the security function that need measurement.
  • Defining measure scales around maturity performance, value and importance to the business, and level of effort and complexity.
  • Quantifying each task through a committee governance approach and assigning measurements.
  • Visualizing results at an executive level to gain buy-in and budgeting to remediate risks.


Kevin McQuade, Risk Management Lead, Enterprise Holdings Inc.

ELIGIBILITY: This webinar is open to RH-ISAC Core Members only. Ineligible registrants will have their registration canceled. To learn about eligibility, visit www.rhisac.org/membership. Email [email protected] with any questions.