Security Impact: Case study

• No single, mature security program or prioritized roadmap to guide investments and remediation.
• Existing policies and an incident response plan that needed review and improvement to meet operational needs.
• The need to demonstrate alignment to a formal framework (the county selected NIST CSF) and to show measurable maturity to auditors, insurers, and senior leadership.
• Limited budget and technical staff, but a requirement for continuous security guidance and validation.
  ‍

These requirements called for a practical, repeatable service that combined strategy, measurable metrics, and regular governance.

• Policy & IR plan review — We reviewed the county’s cybersecurity policies and existing Incident Response Plan, noted gaps, and delivered clear recommendations on what should be added or created to improve operational effectiveness.
• NIST CSF adoption & maturity tracking — Because the county selected NIST CSF, we mapped controls, defined maturity scoring, tracked progress over time, and produced NIST CSF maturity percentages for executive meetings so leadership could see measurable improvement.
• Risk tracking & heat maps — We established and maintained a risk register with heat-mapping so leadership and IT could see prioritized risks visually and understand remediation priorities.
• Regular governance — Bi-weekly meetings to review current projects, track remediation status, and keep stakeholders aligned on priorities and timelines.
• Executive reporting & scoring — Produced executive packets that included NIST CSF maturity percentages and risk heat maps; we also used a structured scoring approach in impact/score meetings to quantify progress over time.

• Discovery & baseline — Rapid current-state assessment and control mapping against NIST CSF to establish starting maturity levels and a prioritized risk register.
• Policy & IR refinement — Reviewed existing documents, and recommended concrete additions.
• Maturity measurement — Defined NIST CSF scoring and produced percentage-based maturity metrics for each CSF function and category; these percentages are produced regularly for executive reviews.
• Risk & heat mapping — Maintained a live risk register and heat map, updated as projects completed remediation or as new risks were discovered.
  ‍

Governance cadence — Bi-weekly meetings to track projects, and executive reporting (including NIST CSF maturity percentages and heat maps) to maintain executive visibility and decision support.

• A repeatable security program — A documented Security Strategic Plan and governance cadence that allowed the county to prioritize work and budget effectively.
• Operationally useful incident response — The IR Plan was improved with concrete, operational artifacts, increasing the county’s incident readiness.
• Measurable NIST CSF maturity — Leadership received clear NIST CSF maturity percentages at executive meetings, enabling objective decisions and funding requests tied to demonstrated progress.
• Risk visibility — Heat-mapped risks and a maintained risk register helped stakeholders focus on the highest-impact remediation work.
• Continuous momentum — Bi-weekly status meetings kept projects on track and provided the county IT team with ongoing, actionable guidance.