Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Data Centre Solutions is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Data Centre Solutions Video magazine contains the latest Zoom interviews with experts in the industry.
Drawing on aggregated, anonymized insights from over 11,000 organizations and aligned to the NIST Cybersecurity Framework (CSF), the report maps companies across four security maturity tiers:
• Partial – Organizations in the earliest stage of maturity, typically relying on limited or ad hoc security processes
• Risk-Informed – Teams that have begun to formalize risk management practices, though application is often inconsistent
• Repeatable – Companies with standardized, organization-wide security practices that are actively maintained
• Adaptive – Highly mature organizations that continuously optimize and scale their security programs through automation, analytics, and cross-functional alignment
As organizations progress through these tiers, the report shows a clear pattern: higher maturity correlates with better risk practices, stronger resilience and more effective use of AI. Key findings from the report reveal:
• Risk assessments are a turning point: Only 43% of Partial companies have completed a risk assessment, compared to 100% for Adaptive
• Budget remains a barrier at all stages: 67% of Repeatable and 35% of Adaptive companies cite budget and resources as ongoing challenges
• Incident preparedness signals maturity: 92% of Repeatable companies monitor threats continuously with alerts compared to 56% of Partial companies with a basic incident response plan that’s not tested, and 12% with no plan at all
• AI drives scale and efficiency at the top: 71% of Adaptive companies are adopting AI to enhance speed, scale, and efficiency.
“Security maturity doesn’t happen by accident—it’s driven by deliberate, strategic investment in risk management, culture and ongoing incremental improvements to people, process, and technology,” said Jadee Hanson, CISO, Vanta. “Our data shows that organizations that embed trust principles in everything they do mature faster, operate more resiliently, and are better prepared for today’s evolving risk landscape.”
Security maturity starts with strategic risk management
One of the clearest markers of maturity that divided the Partial from the other, more advanced tiers is risk assessments. Vanta’s research found that only 43% of Partial organizations conduct risk assessments, while 100% of Risk-Informed businesses have conducted at least one formal risk assessment. This shows how external factors like compliance requirements and customer needs are often the biggest drivers of early-stage security programs.
Incident readiness was also a clear indicator for maturity. Vanta found that 92% of those at the advanced tiers (Repeatable & Adaptive) monitor threats continuously with alerts. Specifically, for Repeatable organizations:
• 100% have business continuity plans
• 85% run regular incident response drills
• 78% test their plans regularly
AI is a key enabler for mature security teams
Adaptive companies are significantly more likely to adopt and integrate AI into their security operations. With a better understanding of their data flows, governance needs and risk exposure, these organizations use AI to reduce rework, streamline decision-making and align with frameworks like ISO 42001.
Trust-first teams drive maturity
Trust isn’t just a byproduct of mature security programs; it’s what drives them forward. As organizations progress, they embed trust into company culture, secure leadership alignment and integrate risk into top-level decision-making.
For Partial organizations, security investments are largely driven by customer expectations and compliance needs. For Adaptive, the top drivers are responding to customer/vendor demands (95%), reducing security risks (93%), meeting compliance requirements (90%), scaling security operations (75%), differentiating through security maturity (70%) and managing multiple frameworks (35%).
Budget remains a universal challenge—but obstacles broaden with maturity
While resource constraints persist across all tiers, mature organizations increasingly face challenges like implementing automation at scale, cross-team alignment and keeping pace with evolving threats, emphasizing the need for strategic leadership, collaboration and adaptable infrastructure.
The top challenges facing each group when moving up the maturity curve are:
• Partial: Budget and resources (48%)
• Risk-informed: Budget and resources (66%)
• Repeatable: Budget and resources (67%), implementing automation or managing frameworks (27%)
• Adaptive: Budget and resources (35%), implementing automation at scale (20%), executive buy-in or internal alignment (15%) and keeping up with threats (15%)
This shows that budget and resourcing are a top concern, regardless of maturity stage, but that these challenges become much more people- and risk-centric as maturity progresses. Ultimately this underscores that achieving security maturity is not a one-time milestone, but an ongoing process—one that requires strategic investment, cross-functional collaboration, and a foundation of trust.
