2.2: Questions That Reveal Maturity
Questions That Reveal Maturity
Maturity assessments that use questionnaires tell you what the org wants you to hear. Maturity assessments that use questions — asked in the hallway, during a tabletop, over coffee with a senior engineer — tell you what’s actually happening.
Here are questions that separate a real program from a paper program. Each one has an answer that can’t be gamed because the timing, specificity, and hedging of the response is the signal.
Questions that reveal a real program
“When was our last tabletop exercise? Who attended?”
A mature program runs tabletops at least annually, and the attendee list includes legal, comms, and an executive sponsor — not just security. If the answer is “we did one last quarter, legal and the CFO were in the room” you’re dealing with a program. If the answer is a long pause followed by “we haven’t done one but we’ve talked about scheduling one” — paper program. The cost of running a tabletop is three hours. Orgs that don’t run them aren’t too busy; they’re too afraid of what the exercise would surface.
“Walk me through the last real incident we had.”
The answer should be specific: date, lead, duration, what failed, what worked, what changed after. “We had a credential-theft event in March; Priya led IR, we detected it in 90 minutes via the EDR console, root cause was a contractor account that hadn’t been offboarded, we added MFA to the contractor onboarding runbook.” That’s a program with reflexes.
The anti-pattern: “We haven’t really had any incidents.” In a 120-person SaaS company, the base rate of real security events over a year is non-zero. “No incidents” usually means “no detection” — and that’s a bigger problem than having incidents, because you’re flying blind.
“Who’s on-call for security this weekend?”
If the answer is “nobody” — you have a problem. If the answer is “Priya, but she’s on PTO, so the IR Slack channel will get it” — you have an aspiration, not a program. A mature program has an on-call rotation that spans weekends with a named secondary, and people know where to page.
“Can you show me our asset inventory?”
A pause longer than ten seconds means low maturity, regardless of what gets produced next. A mature program can produce an inventory in the time it takes to paste a query into a console. If the team has to “check with infra” or “ask the cloud team” or “pull it together” — you don’t have an inventory. You have the raw material for one.
Questions that do NOT reveal maturity
“Are we SOC 2 compliant?”
Binary question, binary answer, tells you nothing about actual controls. Two companies can both be SOC 2 Type II certified with wildly different security postures. One runs a real program and passed. The other documented a program on paper and passed. The auditor can’t tell the difference in most cases. You shouldn’t rely on the answer either.
“Do we have EDR?” / “Do we have a SIEM?” / “Do we have MFA?”
Having a tool ≠ using a tool. MFA deployed but with enforcement set to “optional” is worse than no MFA because it creates a false sense of security. EDR installed but with no analyst coverage is just a licensed log source. Ask how it’s configured and who looks at the output — not whether the license exists.
“What’s our phishing click rate?”
The most gameable metric in security. You can make it low by sending easy phishing tests. You can make it high by sending nasty ones. It correlates weakly with actual breach likelihood because phishing is just one attacker entry point and click rates don’t predict what happens after the click. Module 3 covers what to measure instead; for assessment purposes, skip it.
The tell that cuts across all of them
When you ask a maturity question, watch for hedging vocabulary: “we try to,” “we should,” “we’re working on.” Those are future-tense words in a present-tense question. A mature program answers in past and present tense: “we did, we do, we have.” Hedging isn’t dishonesty. It’s the sound of a program that hasn’t operationalized something yet.