Target Maturity Assessment

Too many maturity assessments are lengthy, complicated, and do not directly take into account the perspective of the business stakeholders. A maturity assessment should be quick, painless, and generate insights that inform the Enterprise Architecture (EA) strategy and roadmap.

MaryAnn Welke, Research Director, CIO Practice Info-Tech Research Group

Have you ever found yourself wondering about that recommended target maturity level? It is quite common to hear from a consulting company or an assessor that your target EA (security, IT) maturity should be at a “Managed” if not an “Optimised” level of a commonly applied Capability Maturity Model (CMM). Why? Until recently, I could never get a sound and justifiable answer except for that it sounds logical to be targeting this level of maturity as an organisation would plan for its service improvement.

Unfortunately, the top maturity levels are not an easy target to achieve. In many cases, this will require serious investments, leadership commitment and diligent work over a couple of years or even longer depending on an organisation’s current maturity posture.

In addition, the journey to a target maturity level comes with another challenge – during the implementation time, an organisation may not see for some time a return from investments made to uplift maturity of under-performing services. We will see this scenario later, discussing high complexity organisations, when the business value can only become evident if an EA/IT department operates at the top levels of operational maturity.

Selection of an inefficient tactical approach to achieve a desired maturity level coupled with false expectations can create unnecessary pressure on an IT/EA department and erode trust from the business stakeholders. It may explain then why it is so hard to get everyone’s commitment and support in order to stay on a journey towards top maturity levels.

Let’s look into this problem and find out a practical solution to appropriately select and justify your department’s target maturity model. As recommended by Info-Tech Research Group, an organisation should assess the following aspects when selecting its EA target maturity level:

  • Measure EA operational maturity. Operational maturity is mostly process driven and represents the “traditional” understanding of maturity. This is what you usually get from an assessor going through a lengthy and painful assessment process with 100+ questions to answer. For comparison, our target maturity assessment questionnaire has about 40 dynamic questions to come to a similar conclusion.
  • Measure EA value maturity. I can hear you say, what on earth is that? Well, value maturity is an estimate of the value provided by EA (or a Security/IT function) to its internal (business) stakeholders or external customers. In other words, it is what your business stakeholders feel about EA and whether they experience any tangible improvements to their business processes.
  • And finally, measure your organisation complexity that would describe specific attributes such as company revenue, number of employees, used technologies, just to name a few.

I can provide you with a service to estimate all this important data and recommend a target maturity level. Alternatively, once you have the data available, you should be able to work out the target EA maturity level and required efforts depending on the current maturity state of the organisation.

From the assessment results, it is quite common to see that an EA/IT department will find themselves below the complexity curve. If that is also your case then do a “value catch up” to achieve a target maturity level – that is demonstrating more value to the business. Alternatively, if your current maturity level is above the complexity curve then improve EA operational processes. In other words, plan for an “operational catch-up”.

Selection of EA target maturity level based on organisational complexity, value, operational and current maturity levels.
Credit: Info-Tech Research Group

The different maturity journey curves show that driving value from enterprise architecture becomes more difficult as the organisation increases its complexity. The same holds true for your security or IT department.

Different levels of complexity shape the maturity journey differently for every organisation, for example:

  • Low complexity organisations will have a lot to gain from the early stages of EA maturity, while high complexity means value comes in the later stages of maturity.
  • High complexity organisations have to put in more effort to reach valuable results – real value usually starts to surface only at the top levels of operational maturity.
    That being said, it is important to note that as an organisation evolves in its complexity, its need for enterprise architecture becomes even stronger.
  • Medium complexity organisations should expect a 1:1 ratio of operational maturity to value. As the processes become more developed, there will be clear value realised by the business.

Although each level of maturity is tied to specific benefits, the target state of EA should be tailored to deliver optimal value for your organisation. Grow the EA department and EA’s scope as the organisation evolves, but be wary of going above and beyond if it is not worth your efforts or investments.

Do you need help assessing and selecting your target enterprise architecture/security maturity level?

Don’t sit back, get in touch now!
Avatar photo

Vlad

  • Recent Posts

  • Archives

  • Categories

  • Tags

    AI AI Security Awareness budget Diagnostic EA Info-Tech Internet safety IT Security Maturity assessment Processes Responsibilities service catalogue strategy Web App Scanning

    • © CISO FOR HIRE Pty Ltd | ABN 85 615 883 291 | 2016 All Rights Reserved