Case Study: How a CISO Optimizes Cybersecurity Strategy Using Maturity and Risk

*This Case Study uses fictional names and characters. Actual names withheld.


In the rapidly evolving landscape of digital threats, cybersecurity leaders are under intense pressure to secure organizations, communicate progress, and align their strategies with business goals. VitalisMed, a leading healthcare service provider, faced similar challenges when Elle took charge as their new Chief Information Security Officer (CISO).

Setting the Scene

Stepping into a department of over fifty information security professionals, Elle was immediately hit by the sheer complexity and state of disarray left by her predecessor. Seven director-level reports covered the broad spectrum of information security. And with a business model revolving around healthcare services, the stakes couldn’t have been higher.

A New Approach: Cybersecurity Maturity as a Metric

Historically, cybersecurity effectiveness was all about technical metrics: how many attacks detected, breaches prevented, vulnerabilities patched. When used to communicate with the executive leadership team, these metrics, while essential, did little to articulate the overall health of the cybersecurity program and risk impact to the organization. The previous CISO used operational metrics regularly, resulting in a collective shrug among the members of the executive team. The result: Elle’s predecessor lost the trust and confidence of VitalisMed’s leadership using metrics and measurement that were not understood and lacked alignment to business objectives.

Enter the concept of maturity – a holistic approach to assess the effectiveness, readiness, and adaptability of VitalisMed’s cybersecurity efforts. Maturity scores to contractual and regulatory controls shift the dialogue from isolated successes and failures to a continuous journey of process and control improvement.

Elle’s early vision was clear: Adopt a maturity model that resonates not just with IT stakeholders and SMEs, but across the organization’s leadership team. Before starting, Elle invested time speaking with and educating her team and executive stakeholders about the idea of using maturity. Elle’s plan is to use this as the key measurement for security program performance. She used the approach to explain how it can inform cybersecurity risk and help enable the success of key business objectives. She organized training sessions and conducted a workshop to ensure buy-in in for the planned strategy. This step was critically important as a new CISO for it allows open dialogue and creates relationships across teams.

VitalisMed’s leadership, namely the Chief Operating Officer (COO) who oversees the cybersecurity function, was initially skeptical of Elle’s approach. He became a supporter after realizing that this wasn’t just another attempt at technical jargon. The COO endorsed the idea of using maturity to measure cybersecurity performance because it provides a transparent, accountable, and business-relevant view of the function. With his endorsement, Elle set the stage for the real action.

Harnessing the Power of the TrustMAPP® Cybersecurity Performance Management Platform

At Elle’s prompting, VitalisMed invested in TrustMAPP®, a cloud-based (SaaS) platform specifically designed for identifying, measuring, prioritizing, communicating, and improving cybersecurity controls and risks over time. She leveraged an assessment framework that blended the robustness of NIST CSF 1.1 with the specificity of the HIPAA Security Rule. Elle saw more than just a tool; she saw a strategic weapon.

Each department underwent a control assessment and grouped these according to each department measured. From the Security Operations Center’s (SOC’s) real-time monitoring capabilities to the more strategic Risk Management functions, no stone was left unturned. The power of TrustMAPP lay not just in raw data crunching but in translating that data into actionable insights.

One striking discovery was the significant variance in control performance levels across various departments. While the Endpoint Security function in one department scored high, indicating a well-implemented and efficient system, Product Security lagged, highlighting specific areas of potential risk.

Budgeting with Precision

With the insights and leveraging TrustMAPP’s built-in recommendation engine, Elle’s budgeting process underwent a complete transformation. Instead of equal distribution or historical trends, funds were allocated based on the control performance potential risks. This ensures dollars are spent where they mattered the most, optimizing return on investment (ROI) and ensuring steady progression towards the cybersecurity goals, and risk reduction efforts set across all departments.

Tracking Progress and Continuous Improvement

Elle was not interested in a one-time assessment. TrustMAPP enabled her team to track projects dedicated to improving the control and process security maturity. The platform also serves as a communication tool, allowing Elle to present data-driven reports, aggregated for the Board, cementing her department’s position as a strategic asset rather than a cost center. TrustMAPP progress reporting and improvement tracking also supported Elle’s budgetary proposals and provided data to justify current investments with accountability in mind.

The Deep Dive

As months progressed, Elle started exploring TrustMAPP’s capabilities further. She initiated micro-level assessments, especially within the Product Security department. These assessments pinpointed specific processes and practices, enabling targeted improvements and rapid advances in cybersecurity process and control performance. Using a platform like TrustMAPP helps to establish ownership, transparency, and accountability across multiple teams.


Within a year, the winds of change were evident. The organization, once grappling with the abstract nature of cybersecurity, now had clear, tangible data to evaluate, strategize, and reduce gaps leading to risk. Elle’s pioneering approach, coupled with the power of the TrustMAPP platform, set VitalisMed on a path of cybersecurity excellence, blending technical prowess with business-aligned strategies.