Technology for Business Podcast – Maturity Model

Myths include: This week Tara sat down with Todd and Scott to chat more about the Maturity Model (and their favorite vinyl).

Listen in to learn more about:

  • How do you define the Maturity Model?
  • Who should consider Maturity Models?
  • Is there more than 1 application for the MM?
  • How does this apply to technology?
  • How can organizations benefit?
  • How do we use it to drive technology/business alignment/Compliance?

Have a question for Todd or Scott? Email

[podcast_subscribe id=”9409″]

Episode Transcription


Tara Klocke: [00:00:00] Welcome today to CIT’s tech for business podcast. Today, we are sitting down with Todd and Scott, and we’re going to discuss the maturity model. I wanna kick it off for both of you guys. First, make a lovely introduction. Secondly, tell me your favorite record that you have on vinyl.

Todd Sorg: Go ahead. Okay. Um, I am Todd Sorg.

I am CIT’s chief operations officer. I am also the chief information security officer, uh, favorite vinyl record. Uh, I’m gonna break the rules and I’m gonna make it two. So, um, I’m gonna start with my, my very first personally owned vinyl was kissed double platinum. Bought that with my own money, just a young kid loved it.

Fantastic. Played the crap out of it. And then, uh, in my teen years, I’d have to say it was probably guns and roses, appetite for destruction.

Scott Patsy: Great choices. I [00:01:00] have both those on vinyl currently. Um, my name is Scott Patsy. I am the manager of strategic engagement here at CIT. Uh, thank you, Tara, for putting this together.

These are really fun. My, um, You can’t ask me about music, cuz we could spend an hour just talking about that. And I can’t really answer this question, um, without saying that my favorites continue to evolve and change all the time. And so right now in this moment I also have two favorites. Um, I just got a five, um, final five LP, uh, grateful dead collection from.

Cornell 1977. Now Cornell 1977 is a sought after a very renowned live show from the dead. You can go very deep down the rabbit hole. That is the grateful dead. And so Cornell 1977 for me. Uh, and then I’m gonna pick on something very new that I really like. And I just bought on vinyl also. Um, [00:02:00] the debut self-titled release spot from a band of sisters called wet leg.

Really great. Um, modern. Rock, uh, I, I highly recommend it.

Tara Klocke: Well, I didn’t know I was going to stump you to and make you make this hard decision, but how about we get to something that I know you two know a lot about, which is the maturity model. So tell me how you guys would, would define this. What does that look like?

Scott Patsy: Yeah, I can, uh, I’ll jump in here, Todd, the, the, um, when I think about the maturity model from, you know, I’ll, I’ll, I’ll, uh, I’ll I’ll disassociate that, um, with, from technology specifically in this moment and just define the maturity model as being a measurement. The ability of an organization for continuous improvement in a particular discipline.

Um, so what the maturity model ultimately does is judge how a company or a [00:03:00] system is at improving itself from a given state allowing leadership to observe the company’s current maturity level based on industry PR industry practice, um, of the current discipline under. Tyler. I don’t know if you had anything to add to.

Todd Sorg: Yeah. I mean, I think that’s pretty spot on, I guess the, the comments that I’d add to it is maturity models are really just that. I mean, at some point you’re trying to measure where you’re at today, where you’re going. And obviously in most cases, if you use the analogy of you can’t eat an elephant in one bite, there are steps that typically go with it.

And that’s essentially the concept of the maturity model is I’m here. I wanna. There as I continue to grow. And, um, how do you do that? And the maturity model is kind of giving you that formal process of putting it together and helping you move forward.

Scott Patsy: Yeah, I, I would, I would even supplement that to add on to the ultimate part of the ultimate goal being, um, not [00:04:00] only to realize for a company to realize its current maturity, this is where we’re at today, based on whatever we’re trying to analyze in the best practice associated with that, um, measured best practice that is we’re not making it up.

Right. Um, But, uh, and, and then ultimately what the next level is to get to what the goal is. But a quality maturity model process should also help you identify or help a company identify two other really important details. And that is, you know, okay, what are the steps to take for us to get to level two or level three, you know?

Um, and then ultimately determining what the financial or human resources it will take to, to make that move.

Tara Klocke: Okay. So I have another question for both of you then, who should really consider applying maturity models into their organization?

Scott Patsy: I would say, um, any [00:05:00] organization that is looking to improve upon itself in any way, it doesn’t have to be technology, right.

Um, any organization can improve how. Choose to hire people, um, you know, how they onboard new employees, um, how they adapt processes, how they adapt policy, you can really apply this to any size business in any place inside of your organization where you’re looking to improve. You know, I, I don’t know that there’s another way to say it it’s, it doesn’t apply just to one, you know, you don’t have to have 50 employees or whatever.

Todd Sorg: Yeah, I’d agree. I mean, uh, essentially what it is is it’s, like I said, it’s kind of a formal process that helps organizations kind of improve. And, um, even organizations, there’s a, there’s a local brewery in town in Minnesota here. That’s got a saying that says they have big ambitions to big, ambitious to stay small.

Um, and while that sounds like, Hey, we’re not really trying to do [00:06:00] a lot. We’re not trying to, to be one of the biggest. Uh, manufacturers of beer and distribution of it. That doesn’t mean that they’re not trying to continue to improve who they are, make better beer, be it more efficient, deliver what their customers are looking for.

And the maturity models will apply to somebody as small as this really, really small micro brewery or somebody as big as a 500 plus organization. Yeah, kind of that’s

Scott Patsy: I really like that. What was that statement again?

Todd Sorg: they have big ambitions, big ambitions to stay

Scott Patsy: small. That’s great. I really like that.

Tara Klocke: Well, and that kind of brings into my next question. So regardless of your size, is there like one way in particular that you go about applying this maturity?

Scott Patsy: There are, um, within the maturity model concept, there are, there are lots of standards over time that have been. Developed. Um, and if you do some research, you know, [00:07:00] Googling , um, there are a number that have, that have, have been, you know, put together already, um, that an organization could attach itself to, to kind of help this process along.

And that’s kind of in part what I would certainly encourage, you know, don’t, don’t make it up. Um, look within the discipline. In which you are trying to improve and see if there’s a maturity model, you know, out there that, um, that you can, that you can utilize. There are, you know, we can get into some very specifics here within the technology, uh, discipline or how they apply it to technology.

But, um, just know that, you know, within, um, lots of different industries and lots of different disciplines, there are, there are already some very well built. Maturity models.

Todd Sorg: Yeah, I was gonna expand on that a little bit too. So there isn’t just a single maturity model that’s out there. So, [00:08:00] um, we’ll dig into a little bit of ’em today, but you know, it’s just kind of giving you high level stuff.

Um, there are many organizations that already implement those. So for example, there are project management, maturity models that are out there. Um, there are technology ones, a lot of people are probably familiar with CMMI, um, they’re cybersecurity maturity models. So you can get into ones that are basic for finance and so forth.

So there’s a lot of ’em. They do apply. And like I said, at the beginning, the intent of this is really trying to find ways to help organizations continue to mature out. Um, so

Scott Patsy: go ahead. No, I would, I didn’t mean to step on, I would even say, you know, something that people are really. Most people are, are, are probably pretty familiar with, or at least I’ve heard of as, as like an ISL standard, you know, within manufacturing, very similar, right?

That’s a very well known, pretty global standard for how a manufacturing organization matures its process. Right? And, and, and the, and the big benefit in that world is if your ISO, you know, [00:09:00] act certified. Um, that means there are certain criteria that you’ve met that ultimately. Your customer is looking for you to have accomplished.

And so that’s one giant benefit in that scenario is if you’ve met the criteria in a particular standard, you can do business with a particular customer or a customer will even come to you specifically, based on the fact that you have met that ISO standard, you meet that criteria. You have matured as an organization to such agree that you’ve been awarded that standardization.

Todd Sorg: Yeah, I’ll expand on that a little bit too. So, so prior to, to joining CIT, as you know, we’re all, we’re all CT CIT and it up here. Um, I used to work for a manufacturer and, and one of the questions that you kind of ask is why do you go through a process like this? And, and I kind of mentioned it’s because you wanna continue to improve as organizations, but there are a lot of other reasons for it too.

Scott just touched on, we can [00:10:00] get more revenue because of it. We can land projects, we can separate ourselves from our competition. But, you know, another one and, and this is where I was kind of focusing very heavily at the front is just trying to make sure that your processes are very repeatable. Um, so there’s a whole slew of good reasons why they do it and when you’re going, Hey, I think if you’re considering this in your organization is I think we’re gonna move forward on something, this like this.

You can then circle back with your stakeholders and say, I wanna move forward because I think it sets us apart. I think it’ll help us drive additional revenue. I think it’ll help make our processes repeatable and, and predictable and so on and so forth. So there’s a lot of really good reason to do that.

And almost everybody inside of every organization wants those things. They want more money, they want more revenue, they wanna make it more efficient and so on and so forth. Yeah, absolutely.

Tara Klocke: Like who, who wouldn’t want that for their organization? And. In case anybody said, no, this is a podcast on technology.

So I do wanna dive into a little bit about how does this apply [00:11:00] to technology? Yeah,

Scott Patsy: that’s a, that’s why we’re ultimately here. Right? Um, so there are a few ways that we can kind of look at that. Um, I think the important one today is to help, um, You know, the listener here understand, um, broadly how the maturity model can apply to technology.

But then more specifically, how does C I T use the maturity model, um, to help our customers ultimately, you know, align their business goals with what technology can do, right. Um, I think a good broad place to, to start maybe, um, Todd, you can help out here is, uh, something that’s kind of on the forefront front of everybody’s mind today being cyber security.

And there are a number [00:12:00] of, of, uh, places where this applies. Um, and, and, and Todd, I would invite you to kind of start and I I’ve kind of got some, some stuff queued up here to, to discuss about it.

Todd Sorg: Sure. Yeah. So thanks for that. But, but cybersecurity is really easy because as Scott mentioned, it’s top of mind right now, it’s easy to talk about.

Um, but the nice piece about it is there is a decent amount of compliance out there that kind of helps build what frameworks look like today. Um, so you look at those highly regulated industries, your healthcare, your finance, et cetera. They’re all trying to do exactly that. As I mentioned early on, you really can.

Do it all in one chunk, there’s a variety of reasons for it. The complexity, the cost, et cetera, cetera. Um, in the compliance industries or the regulated areas, the reasons why they have to do it is because they’re being asked to do a lot. The reasons why there is compliance and regulations is because there’s a lot of risks in those industries, whether that’s because they’re being insured, um, by insurance companies or by the D I C or whatever the case may be.

They’re the ones that [00:13:00] are saying, Hey, there’s a lot at risk here. We wanna see you do it. Essentially, what they say is there’s kind of a foundation that you need to get in place for the maturity model and they call it baseline in the finance industry. And then as you continue to grow and get better, the next stage is called evolving.

So again, you’ve kind of got the basics I can block. I can tackle. Now I’m starting to get it a little bit better. And then once the next stepped up is intermediate. So you’re doing about average. That’s about what most organizations are trying to do if you’re in that industry. And then you get up to advanced and then at the very top of the scale as innovative, and the intent is.

Most organizations aren’t really striving to be innovative when they’re in the SMB market, which is typically where we focus and that’s because they don’t have the revenue, the horsepower, et cetera. But there are leaders in every industry that are going to be innovative, even if they are small, there’s, there’s plenty of people that are really trying to turn their industry on their head.

And they’re trying to be living in that innovative state as well. [00:14:00]

Scott Patsy: Yeah. Yeah. That’s great. Um, I’ve got a, um, uh, kind of what I have queued up as some, an example, really within cybersecurity kind of, you know, how and where that applies. And so, um, I think, uh, if there’s anybody out there listening to this that is, um, kind of tapped into what.

The cybersecurity industry is doing the maturity model that we see relatively, um, consistently is what’s called the cybersecurity maturity model certification, the CMMC, um, which is an assessment framework published by N the national institutes of standard and, and, and technology. And what the CMMC does, is it, um, It’s got a whole list of about 14, what they call domains, um, that, uh, um, are specified for, um, analysis, um, to address the CMMC and, [00:15:00] and those are access control, awareness and training, audit, and accountability, configuration management.

I’m not necessarily gonna list all. 14 of ’em, but you can kind of understand what they’re trying to accomplish their incident response, um, personal security, physical protection. There’s, uh, there’s a whole list of things to, to get through and to mature through, um, within the CMMC and those domains and, and, and an example of that is, um, Kind of the framework that we’ve been hearing about is, um, you start at, you know, a particular level of maturity and as an organization meets those maturity requirements, it would, you know, move on to the next level.

Right. And, and within the CMMC, the first level is access control and the first level and level one. Then within access control is what they call authorized access control. And, and they call that out and they say limit system access to authorized users, [00:16:00] process pro uh, uh, processes acting on behalf of authorized users or devices, including other information system.

And so once an organization has done that limited. Information system access to authorized users. It can kind of check that box and move on to, um, the next aspect of level one. Again, being access control, which is transactional and functional control limit information system, access to the types of transactions and functions that authorize users are permitted to execute.

Um, so you can kind of see how this moves the next, uh, uh, uh, aspect of level one is external connections, verify and control slash limit construction, uh, connections, um, to and use of external information systems. Um, Uh, and so they, once you have kind of done these things, checking the box, you move on to the.

[00:17:00] Piece of that. And AF once you’ve matured through level one, level two, uh, again, within the access control domain. And I know we’re getting in the weeds here, I hope everybody’s following me. Um, level two is then starts with, um, the ion of duties and so separate the duties of individuals to reduce the risk of malevolent activity without conclusion.

And, and, and, and the CMMC is, is, is, there are lots of questions it’s very in. Um, and for cyber security at this level, it really should be, but you can see within the different levels, what they’re doing, they’re ultimately tightening the security restraint so that the right people can get access to the right information, um, or ultimately to limit access.

um, only to a certain set of people internally or externally. Um, and this goes on and on and on, and there are lots of levels and lots of questions, certainly not gonna read ’em [00:18:00] all, but you can kind of get the gist here of, again, the process by which an organization meets a particular criteria within a level in order to check a box and move on to the next.

Tara Klocke: So I definitely heard a lot of compliance compliance, but then how do I take my organization and align that with those models? What do I do? Do I do that myself? Can I reach out to somebody to help? Or how do I check some of those boxes?

Scott Patsy: Yeah. Yeah, that, that that’s that’s thank you, Tara, for reeling us in a little bit.

um, the question there really is. Okay, well, how does CIT help, you know, our customers? How do we use the maturity models to help our customers? Um, because our customer base is one that tends to be, uh, what we refer to as, as SMB. Uh, um, and I’ll clarify a little bit to say C I T S customers that have, um, you know, a pretty broad range of, uh, uh, of user basing.

We’ve got customers. They have five to, to, [00:19:00] to 500 users is, is, is kind of how we categorize that. And today, um, we are using maturity models, um, both within our cyber security and strategic engagement departments to drive. Really help our customer drive that level of maturity within each respective discipline.

Um, and, and I, I really, I firmly believe that that word using that word drive is an important aspect of this. I would say that our customers look to us in these cases to help them mature. Through these processes, and it’s not something that they necessarily are prepared, have the, or have the bandwidth to accomplish on their own.

So they really need us to, to help move them forward. Um, cybersecurity obviously is very focused on maturing the. Um, it, uh, cybersecurity for our clients. Um, well the strategic engagement department takes a [00:20:00] broader approach in maturing overall. It best practice within categories, such as it infrastructure, where we’re analyzing servers, workstation, storage, switching, um, backup and recovery.

It budgeting, um, and big picture items like the organization’s cloud strategy or the ability of it assets to meet, uh, uh, uh, business demand. Um, I will, uh, I’ll take this moment to kind of pick on an easy criteria, um, where, where, uh, um, Strategic engagement focuses. And that is, um, that’s the, that’s the it budget.

So I’m just gonna talk through this briefly. So, um, if we were using the maturity model to analyze a customer’s it budget, um, we, we, uh, we would do that. We kind of have five levels within budgeting, um, and we. Make these statements, we ask the customer, these questions, um, you know, where do you fit today? Um, within this model.

Um, [00:21:00] and so if I think of the it budget, kind of it being one through five, number one being no formal it budget exists. Technology is purchased ad hoc. It budget percentage of revenue is unknown today. Um, or number two, being some it purchases are made based on specific recommendations, but were not planned for in advance.

Most it hardware, software and service expenses are paid for as needed. During a point of pain, it budget, percentage of revenue is still unknown. Um, level three then is, um, you know, you can, you can kind of hear that it continues to get better as you mature. Um, level three is, uh, a list of technology purchase has been documented.

However, no specific annual it budget is followed. Some hardware software service purchase is purchased in advance based on a roadmap. Uh, some are still purchased ad ho. And again, it budget percentage of revenue is, is less than industry average. Uh, number four, [00:22:00] then we would continue to get better. An it roadmap has been documented annual it budget has been created most are all it.

Hardware, software, service expenses, expenditures are made in advance. Um, and then number five is a formal budget exists. The organization, um, and business leadership are aligned on technology solutions that support business goals. And so the question is, well, boy, Scott. Yeah, we are at a number one and we really wanna get to a number two and number three and number four.

And, and, and we need your help getting there. Right. Um, and so that’s where we. Use strategic engagement to help, you know, drive, um, organizational leadership, our customer’s leadership to working through those maturity levels. If no formal budget it budget exists today, then let’s build a cadence together so that we can work with you to.

Identify the items that are attached to the it budget, what [00:23:00] the cycle is for these things and build some predictable repeatable processes around, um, maturing you to the next level so that we can get from no formal it budget exists to you have a roadmap we’ve helped you document that roadmap we’ve identified within, um, you know, quarter by quarter, what the it purchases are that are going to be made.

We’ve identified. Um, when assets will refresh, we’ve identified when new hardware will need to be purchased based on warranty or support expectation, um, expiration, excuse me, we’ve identified when, um, you know, projects need to get accomplished based on that budget. Um, And then to help an organization, um, uh, uh, review that quarterly budget and review budget, percentage of revenue and see where it fits within its industry.

Um, so that’s kind of how we would take something as, um, really as important, [00:24:00] um, and as transformational as the it budget and moving it from, ah, we really don’t have a formal it budget. We kind of just buy stuff when we need, when we identify a pain point to a formal budget exists. Organization business leadership is aligned with, um, uh, not only making it purchases, but, um, helping those purchases, uh, ultimately drive business.

Todd Sorg: So I’m gonna boil that down a little bit. um, I, I think, uh, what Scott said was great. I, I think all of that aligns extremely well. And if you were, I mean, I, I’m not trying to make fun of Scott in any way, but I think if you were kind of going through the process, I kind of highlighted, and I said, you got a baseline and you work your way up to innovative.

Exactly how he laid that out. They followed right into those steps. Right? So you kind of figure out where you’re at and where you’re going. One of the things that I kind of wanted to point out right away is I have worked for a fair number of organizations. Um, prior to this particular role in everywhere I’ve ever been, I’ve found that [00:25:00] the reoccurring theme is senior leadership hates surpris.

Right. And that’s budgeting. That’s break. That’s fix it’s it’s all the unknowns. Right? So when Scott’s pointing out heavily, you wanna get to this area where it’s repeatable, it’s understood. You’ve got budgeting, et cetera, for anybody that’s in charge of it, responsible for it or any. Other area having that predictable model does eliminate a lot of that friction and it removes the surprises.

So you’re less likely to have the president CEO’s laptop die unexpectedly, or your backup system didn’t work. And now I’m looking for a $20,000 investment or whatever the case may be. Those things are being eliminated. Um, now when it comes to cybersecurity, You know, Scott had mentioned this too, is a lot of organizations don’t have the horsepower to be able to kind of do that for them.

So there are partners out there. C I T be one of them having the ability to say we can help translate that. So I wanted to touch on the CMMC [00:26:00] piece real quick too, is, um, as Scott was reading through that, While it’s clearly in English that doesn’t necessarily make it easy to understand. Right? You go through all that and you say, whoa, what does that even mean?

There are organizations, there are people that do know how to make that very actionable and say, here’s where you’re at today. We can get you to the next step easily by doing X, Y, and Z. So there are very clear ways to do it. Um, And I, and I apologize, I didn’t mean to cut Scott off in any shape, manner or form.

I just kind of wanted to point out that the surprising thing is, is really, should hopefully resonate with a lot of people and being able to, to minimize that if not completely eliminated is something that most organizations are after.

Tara Klocke: And no fault to Scott’s, um, own, he is very passionate about this subject.

So it’s so nice and refreshing to be able to have somebody be a part of CI I T that wants to talk about that. And he is in that perfect position, um, to do so. Um, so great job guys. [00:27:00] I appreciate, um, all of that. So I did wanna kind of, um, lead us out to the end and we’ll kind of wrap anything up, but Todd or Scott, do you have any, um, final words that you wanna get in there?

Todd Sorg: Yeah. I wanna know when we’re scheduling the music one. Yeah, right. yeah. When can

Scott Patsy: we let’s have a grateful dead podcast, which is the best version of ahea. awesome.

Todd Sorg: This was great,

Scott Patsy: Tara. Thank you so much.

Tara Klocke: Well, thank you. Uh, Todd and Scott, I very much appreciate your time. And as always, we love to talk and sometimes we tangent, but again, talking about the passion, we love to see that, but for those of you that are listening, we always are looking for, um, you know, feedback on some other suggestions.

So please make sure to do that. Um, you can visit our website, which is CT Or you can email us at info C I. Net dot. [00:28:00] And as always, we look forward to chatting with you guys next week. So, and are.

Leave a Reply

Your email address will not be published. Required fields are marked *

About CIT

CIT Careers

Rooted in Minnesota with innovators nationwide, we’re tech problem-solvers & solution providers. From cybersecurity to support engineers, we’re powered by passion & precision, aiming to transform adversity into advancement. Together, let’s redefine the digital horizon.

Get in contact: email us at or call 651.255.5780

Copyright: © 2024. All Rights Reserved.

CIT is designated autism-friendly by autism speaks

Leveraging AI: Cybersecurity Q&A

June 25th 10:30am CST

Join this live webinar as we explore the world of AI and discuss how attackers and defenders are using AI, what are the best practices and policies for AI security, and what tools and solutions are available to help.