Case Study: Security Maturity Assessment

Client: ASX-listed company

A structured, evidence-based assessment against the NIST Cybersecurity Framework provided the client with a clear understanding of their security maturity and a prioritised roadmap for improvement.

The Challenge

An ASX-listed company needed to understand their current cyber maturity. They engaged Fortian to conduct a technical review of cyber security controls against the NIST Cybersecurity Framework, covering key control gaps along with recommendations for improvement.

The client used the findings to inform a tactical security remediation plan and develop a longer-term security strategy to improve their cyber security defences.

Our Approach

Fortian applied a structured, risk-led methodology to evaluate the organisation's existing security architecture maturity, conduct an enterprise-wide cyber risk assessment, and develop a practical cyber security strategy. The methodology assessed not only what security capabilities existed, but how effectively they were implemented, integrated, and governed across the organisation.

At the core of this engagement was Fortian's Security Capability Model (SCM), closely aligned to NIST CSF and incorporating relevant controls from other recognised standards (e.g. ISO 27001, Essential Eight). The model was tailored to ensure alignment with the client's organisational context and terminology.

The SCM is structured as a layered, domain-based framework around core security functions (Govern, Identify, Protect, Detect, Respond, Recover), with each function decomposed into security capability domains such as identity and access management, endpoint security, network security, cloud security, logging and monitoring, and incident response. Each domain was assessed across defined maturity levels, illustrating progression from ad hoc or fragmented controls through to integrated, optimised and continuously improved capabilities.

1. Defined Scope and Objectives

Fortian commenced by clearly defining the scope and objectives of the security architecture review to ensure alignment with business priorities and regulatory expectations:

Identified systems, applications, cloud services, and network domains in scope
Confirmed review objectives (maturity uplift, risk reduction, compliance assurance, investment planning)
Engaged key stakeholders including the CISO, enterprise architects, and business unit representatives

This ensured the assessment was targeted, relevant, and defensible.

2. Assessed Current-State Architecture Maturity

Fortian conducted a comprehensive current-state assessment combining technical depth with organisational context. Activities included:

Interviews and workshops with architects, security engineers and business owners
Review of architecture documentation, configurations, standards and processes
Detailed technical assessment of security controls and their implementation
Assessment of security capabilities against the SCM using a maturity scoring approach
Evaluation of integration between domains (e.g. identity aligned with application security and detection capabilities)

This provided a clear view of design maturity, execution consistency, and cross-domain integration.

3. Threat- and Risk-Led Architecture Weakness Analysis

Building on the current-state assessment, Fortian identified architectural weaknesses and risk exposures through a threat- and risk-led lens:

Identified material architectural weaknesses and control deficiencies
Mapped weaknesses to relevant threat scenarios and attack paths
Assessed potential business, operational, and regulatory impacts
Prioritised risks based on likelihood, impact, and existing mitigations

This analysis focused on real-world threats and architectural exposure, rather than checklist-driven control gaps, and directly informed target-state definition.

4. Defined Target-State Maturity

Fortian worked collaboratively with stakeholders to define a pragmatic target-state security architecture and maturity profile:

Established target maturity levels for each security capability domain
Aligned target state with organisational risk appetite and regulatory obligations
Considered operating model, resourcing, and delivery constraints
Defined architectural principles and design objectives

The target state provided a clear, measurable, and achievable future security posture.

5. Gap Analysis, Strategy and Roadmap Development

Based on the defined current and target states, Fortian performed a formal gap analysis to inform cyber security strategy and roadmap development:

Identified and validated gaps between current and target maturity
Translated gaps into prioritised initiatives and uplift activities
Defined dependencies and sequencing across security domains
Developed a phased roadmap (short, medium, and long term)
Established metrics to track progress and demonstrate uplift over time

The Outcome

The engagement provided the client with:

A clear, evidence-based view of their current security architecture maturity
A consistent, enterprise-wide understanding of cyber risk and exposure
A defensible target-state aligned to business and regulatory expectations
A prioritised cyber security strategy and delivery roadmap
Practical guidance to uplift security posture in a controlled and measurable manner

Sample radar chart showing current state versus target state maturity across security capability domains — Sample overview of findings (illustrative data)

Why Fortian

Fortian's Security Capability Model provided a structured, repeatable framework for assessing security maturity that went beyond checklist compliance. By combining deep technical assessment with threat- and risk-led analysis, the engagement delivered actionable insights that enabled the organisation to make defensible security investment decisions aligned with their business context and regulatory obligations.