Absolute Security
Speak with an architect
ASSESSMENT·GOVERNABILITY DIAGNOSIS

Governability diagnosis

Get sharp clarity in a few days on where your governance over cybersecurity does and does not work.

Tools and people are in place. The question is whether the board can demonstrate the organisation is in control. This diagnosis surfaces that governance. We sit at the table as senior architect, not as auditor or vendor.

Plan a diagnosisSee how it works
Duration2 to 3 weeks
EffortSenior architect, several days
For whomCISO or Security Manager, midmarket
§ 01 · The question

When a diagnosis is needed

You probably recognise yourself in one of three situations. Not a verdict, a pattern we see at organisations with 500 to 10,000 workplaces.

Pattern 01

The board asks questions no one internally can answer.

"Are we exposed to this new regulation." "Are we ready if it goes wrong." The answer doesn't come, or comes fragmented.

Pattern 02

The tools are there, the coherence is missing.

SOC, SIEM, IAM, GRC. All present, all owned. No one watches the system as a whole.

Pattern 03

Compliance reporting feels like improvisation.

Each quarter, figuring out again where which numbers come from. It costs too much time and the result convinces no one.

§ 02 · Outcome

What the diagnosis delivers

No report to leaf through and put aside. The outcome is something you can use in the next executive meeting, and every one after.

01

A report the board can read and use.

Short text, clear picture, no jargon. What works, what doesn't, and which questions the board should ask itself. Enough context to decide, no more.

02

An action perspective with priorities and timeline.

Three to five moves that matter now, with reasoning why these. Per move an indication of effort, duration and ownership.

03

A shared language across the organisation about what governance means.

CISO, IT, finance and board talk about the same thing afterwards. That is not soft. It determines whether a second conversation is productive, or starts over.

§ 03 · How it works

How the diagnosis runs

Five steps, in two to three weeks. No fixed template. We calibrate to your context, the rhythm stays.

  1. 01

    Preparation

    Documentation and context. Policy, org chart, recent board notes, audit findings. A first one-hour call to test assumptions.

    Week 1, day 1 to 2
  2. 02

    Conversations

    With CISO, IT management, a representative from the primary process, and where relevant CFO or board member. Four to six 45-minute sessions. No interview script, but a thread.

    Week 1 to 2
  3. 03

    Operational review

    SOC output, risk register and incident history of the last year. We don't look for what's missing. We look at whether what's there is used for governance.

    Week 2
  4. 04

    Synthesis and validation

    We write, you check. An interim version to the CISO for factual corrections. No consensus round. The architect remains owner of the conclusions.

    Week 2 to 3
  5. 05

    Report and presentation

    Final report, plus a verbal presentation to the meeting you choose. Board, audit committee, leadership team. One hour is enough.

    Week 3
§ 04 · Participants

Who's involved

A diagnosis is a conversation between people, not a survey of a department. We keep the circle small and the conversations concrete.

On your side

The CISO is sponsor and conversation partner.

One central contact, usually the CISO or Security Manager. Around them a workable circle of stakeholders we speak with.

On our side

One senior architect, from start to finish.

No team, no junior doing the work. The architect who runs the first conversation writes the report and presents it.

Hans Raaijmakers
Senior architect and founder. A quarter of a century in security governance, finance, and public sector.
§ 05 · Investment

Scope and duration

What this costs depends on your context and scale. We are upfront about effort and duration, so you know what you're asking for.

Duration2 to 3 weeks

From kick-off conversation to final presentation. No acceleration on request. The rhythm is part of the quality.

Our effortSeveral days of architect work

Spread over the duration. Including preparation, conversations, synthesis, final report and presentation to the meeting.

RateOn request

A fixed amount per diagnosis, after the orienting conversation. No hourly billing, no scope creep.

§ 06 · Scope limits

What this is not

For clarity, what this is not.

Not a vendor pitch dressed as advice.

We have no partnerships with vendors. If a tool fits, we say so. If there is one too many, we say that too.

Not an audit with a checklist.

An audit assesses whether you meet a standard. A diagnosis assesses whether your governance works. Two different questions.

Not a technical pentest.

We don't break in. For pentesting we collaborate with specialised parties and interpret their output in context.

BACK·PLAN A DIAGNOSIS

Want to know if your governance actually works?

Plan a diagnosis