Cybersecurity continues to be a hot topic, with news alerts about data breaches and cyber attacks popping up almost every day. Staying ahead of these ever-increasing threats, dealing with the growing complexity of compliance: it’s no wonder that many organizations across industries are left feeling overwhelmed. As they grapple with these continuous and ever-growing threats, they want to know where their cybersecurity stands.
A comprehensive cybersecurity assessment is a proven method to achieve this. But how exactly does such an assessment work, and why is it vital to safeguarding your business?
To gain insight, we sat down with Tim Timmermans, CISO at ON2IT, whose team leads the cybersecurity assessments. He is giving us an insider’s perspective on how these assessments work and why they matter.
Let’s start with a logical first question: why are cybersecurity assessments relevant? What is their purpose?
“At its core, cybersecurity assessments are about creating alignment,” says Timmermans. “Too often, organizations dive into security initiatives without a solid strategy or considering the full context. This can lead to security and business operating in silos rather than supporting each other. A good cybersecurity assessment creates explicit clarity and a clear direction on where the business is going and the role that security has in this as a business enabler.”
Tim emphasizes another aspect: “In addition, a cybersecurity assessment creates alignment between strategic, managerial and operational levels. Multiple disciplines and organizational layers should be involved, such as C-level executives, architects and even experts. Getting different positions and departments on the same page helps build mutual understanding and breaks down communication and decision-making barriers.”
So, what does an ON2IT cybersecurity assessment look like?
“Our assessments are highly interactive and collaborative,” Tim begins. “Practically speaking, we use a structured approach where participants engage with a series of statements and collectively score the organization’s maturity on key cybersecurity topics. Think of your security governance, compliance, strategic planning but also architecture and operational capabilities like continuous monitoring and incident response.”
“What’s particularly interesting is that by bringing people from different departments and layers of the organization around the table, we can visualize and discuss variability in real-time. It highlights consensus, but also where perspectives differ or where misconceptions exist.”
Tim explains that whereas many cybersecurity assessments focus on strategy, architecture, or technique in isolation, ON2IT’s approach integrates all three. “We ground every assessment in Zero Trust principles,” he notes, “which allows us to provide a comprehensive gap analysis and a prioritized roadmap aligned with each organization’s needs.”
The process doesn’t end with the assessment itself. “We conclude with a workshop where we take a deep dive into some of the organization’s critical assets,” Tim adds. “This step helps teams understand Zero Trust concepts in a tangible way and ensures they leave with actionable insights.”
How does it differ from any other cybersecurity assessment?
“First,” Tim starts, “our assessments go well beyond ticking boxes. We foster meaningful discussions that drive organizational alignment. Many participants are pleasantly surprised by the new collaborations and perspectives that are sparked by these sessions.” Tim continues, “Whenever possible, we prefer to conduct our assessments in person, though we can also work remotely if needed. We involve participants from across the enterprise: strategic leaders like CIOs and CISOs, managerial staff, operational experts, and even board members.”
“People naturally view cybersecurity through their own lens,” Tim observes. “Stepping outside that perspective to see the bigger picture is invaluable. Participants frequently describe it as an eye-opener.” Bringing diverse stakeholders together creates new opportunities for collaboration. “They learn from each other and begin linking their work to broader organizational goals,” Tim explains.
Second, ON2IT focuses on improving security from a Zero Trust perspective. ”Zero Trust isn’t just a technology; it’s a strategy. We’ve been refining our methodology for years and have deployed this successfully all over the world in organizations of all sizes and maturities.”
Tim points out that people’s expectations can differ significantly: particularly when it comes to Zero Trust, a key component to the cybersecurity assessments at ON2IT. “Everyone interprets Zero Trust in their own way,” he explains. “That’s why we invest time up front to clarify objectives and define what ‘Zero Trust’ actually means in the context of their organization. Once that groundwork is laid, participants are often surprised by how quickly the process moves forward.”
Involving all organizational layers is another key differentiator. “Strategic initiatives like Zero Trust succeed when everyone, from C-suite to frontline teams, aligns with the same security objectives. It’s vital to avoid the trap of treating cybersecurity as merely an IT responsibility.”
“Some people will say, ‘I could go through audits and assessments every day – do I really need yet another?’” Tim understands that frustration. “This assessment is about taking meaningful steps forward and bringing together actual practitioners from your company to discuss the nuts and bolts.”
Tim highlights that the process includes defining protect surfaces—the “crown jewels” of the organization—and collaborating with stakeholders to establish practical Zero Trust measures. “It’s not just evaluation; it’s the beginning of implementation.” A practical advantage of the assessment is its compliance mapping. “Zero Trust measures we recommend align with over 170 compliance frameworks. This makes it easier for organizations to adopt a risk-driven approach rather than chasing isolated compliance goals. Many participants are impressed by how this approach streamlines their efforts.”
Lessons from past assessments
With years of experience and over 100 assessments under his belt, Tim has learned numerous valuable lessons when it comes to cybersecurity assessments.
“Cybersecurity has implications for the entire organization. This is why we keep re-itering that it’s important to get stakeholders from all across the organization on board. Especially having C-level ‘on your side’ helps bridge security and business functions and ensures that cybersecurity gets the attention and support it needs throughout the entire organization.”
Another key thing to remember is that no organization will be starting from scratch when it comes to improving their cybersecurity. Existing frameworks and initiatives are likely already in place, which is incredibly helpful, but also a point of concern. “The idea of starting from scratch, especially when there’s already some sort of system in place, can be daunting. It’s important to remember that many organizations will, knowingly or not, already have some Zero Trust-based structures in place. These are a great starting point to boost Zero Trust adoption and logical follow-up actions, which the assessment will help determine.”
It’s not realistic to overhaul the entire enterprise in one go. “We typically recommend starting small and focusing on a few segments of your infrastructure, rather than tackling everything at once. You’d be amazed how small, targeted improvements can make real impact.”
“Ultimately,” Tim emphasizes, “we want to focus on the practical side of things. Implementation is key: start small, iterate and improve as you go. Keep continuing to make progress.”
Final Thoughts
Cybersecurity assessments shouldn’t be ‘just another check-the-box exercise’. With the right approach, they can spark meaningful change and pave the way for sustainable cybersecurity improvements.
As Tim puts it, “Cybersecurity assessments are about building a foundation for lasting security enhancements.” He does point out that they will always be snapshots in time. “Organizations, risks, and the broader threat landscape are constantly evolving. Assessments should be used not just to measure progress, but to stay adaptive and ensure that security improvements keep pace with that constant change.”
