From Firefighting to Future-Ready: A Behind-the-Scenes Look at a 6-Week IT Assessment
- Jimmy Stewart
- Nov 11
- 6 min read
Over a six-week period, I conducted a 30-hour comprehensive IT maturity assessment for a mid-sized organization to evaluate their technology infrastructure, security posture, and operational readiness. The goal was to identify strengths, uncover risks, and develop a roadmap to move from reactive IT management toward a proactive, data-driven model. What follows is a de-identified version of that assessment, showing the structure, depth, and outcomes clients can expect when engaging me for a technology maturity review.
Executive Summary
This IT assessment provides a comprehensive evaluation of the organization’s technology infrastructure, operational maturity, and security posture. The assessment identifies strengths, risks, and opportunities for improvement across core IT domains including infrastructure, data management, cybersecurity, and vendor management. While the environment demonstrates a solid operational baseline, the analysis highlights opportunities to enhance automation, governance, and resilience through structured process improvement and modernization initiatives.
Objectives and Scope
The objective of this assessment was to evaluate the organization’s IT maturity and alignment with industry best practices. Areas reviewed include network architecture, security and compliance, systems and software inventory, data management, operational processes, vendor management, and business continuity planning. The assessment establishes a baseline for maturity and provides a roadmap for improvement.
Methodology
The assessment was conducted using a Technology Maturity Framework that measures each domain against five maturity levels:
Level | Description |
1. Initial | Processes are ad hoc and undocumented. |
2. Developing | Foundational controls exist but lack consistency. |
3. Defined | Processes are documented, repeatable, and partially automated. |
4. Managed | Controls are actively monitored and optimized for performance. |
5. Optimized | IT is proactive, data-driven, and aligned with business strategy. |
Data was collected through interviews, system observations, policy reviews, and configuration sampling. The findings below are based on direct evidence and stakeholder input.
Principles
Simplify and standardize for consistency and efficiency.
Cloud-first approach to enable automation, resilience, and scalability.
Security by design – integrated at every level of system architecture.
Self-service enablement – empower users to perform routine actions independently.
High availability – eliminate single points of failure.
Continuous improvement – adopt a lifecycle mindset for processes and systems.
Technology Maturity Overview
Domain | Current Level | Target Level | Priority |
Network Infrastructure | 3 – Defined | 4 – Managed | High |
Security & Compliance | 2 – Developing | 4 – Managed | High |
Data Management & Backup | 3 – Defined | 4 – Managed | Medium |
IT Operations & Processes | 3 – Defined | 4 – Managed | High |
Vendor & Third-Party Management | 2 – Developing | 3 – Defined | Medium |
User Access & Authentication | 3 – Defined | 4 – Managed | High |
Network Infrastructure Assessment
The organization maintains a standard network topology with segmentation, managed firewalls, VPN access, and secure wireless connectivity. However, visibility and telemetry are limited to device-level monitoring rather than behavior-based analytics. The MSP performs patching and firmware management, but no automated configuration drift detection is in place. Documentation of network diagrams and VLAN segmentation exists but is not version-controlled.
Maturity Level: 3 – Defined
Key Insights & Opportunities: Introduce automated monitoring and configuration baselines; implement a network performance dashboard to track bandwidth utilization and latency.
Security and Compliance Review
Security controls include endpoint protection, email filtering, and firewall management. However, multi-factor authentication is inconsistently enforced, and the absence of a centralized SIEM reduces the ability to detect lateral movement or correlated threats. Policies are documented but compliance tracking and incident postmortems are not standardized.
Maturity Level: 2 – Developing
Key Insights & Opportunities: Implement a SIEM or XDR solution integrated with Entra ID, formalize security awareness training, and adopt regular tabletop exercises to validate response readiness.
Systems and Software Inventory
The environment relies on ConnectWise Remote and Kaseya UEM for endpoint tracking, but lacks a centralized inventory that includes licensing and dependency mapping. Software lifecycle management is reactive, creating risk of version drift.
Maturity Level: 2 – Developing
Key Insights & Opportunities: Deploy asset discovery and configuration management tools to enable real-time visibility across systems and improve patch compliance reporting.
Data Management and Backup Assessment
Data storage practices enable collaboration but expose sensitive data due to broad sharing permissions. Backups are handled by the MSP, but recovery procedures are not consistently documented or tested. Server backups hosted outside MSP management lack redundancy.
Maturity Level: 3 – Defined
Key Insights & Opportunities: Formalize retention and recovery documentation, adopt immutable backups for critical workloads, and perform annual recovery validation.
IT Operations and Processes
The IT team uses ConnectWise ServiceDesk for ticket tracking, yet KPIs such as mean time to resolution (MTTR) and SLA adherence are not monitored. Change management occurs informally, and service requests lack categorization metrics. The IT team is engaged early in business initiatives, aligning technology planning with organizational goals.
Maturity Level: 3 – Defined
Key Insights & Opportunities: Introduce a service catalog, define SLA metrics, and establish governance routines such as weekly change advisory boards (CABs) for operational transparency.
Business Continuity and Disaster Recovery (BCDR)
A comprehensive BCDR plan exists but has not been tested under realistic recovery conditions. Failover documentation is accurate, though dependencies between systems are not fully mapped.
Maturity Level: 3 – Defined
Key Insights & Opportunities: Conduct annual recovery testing, expand the plan to include SaaS systems, and integrate monitoring to validate recovery time objectives (RTOs).
User Access and Authentication
The organization uses Microsoft Entra ID for identity management. Single Sign-On (SSO) is partially implemented, and privileged accounts are not consistently separated. Logging is centralized but not actively reviewed.
Maturity Level: 3 – Defined
Key Insights & Opportunities: Enforce SSO across all SaaS tools, implement privileged access workstations (PAWs), and adopt conditional access policies to reduce credential exposure.
Endpoint and Device Management
Endpoints are managed with Sophos and Kaseya, providing visibility into patch and threat status. Some systems lack encryption, and Windows 10 devices remain in service nearing end-of-life. Microsoft Intune would allow unified configuration, compliance enforcement, and device imaging.
Maturity Level: 3 – Defined
Key Insights & Opportunities: Standardize endpoint provisioning with Intune and AutoPilot, enforce encryption, and document device lifecycle management policies.
Third-Party Vendor and Service Provider Review
Vendor relationships are strong but over-centralized. One vendor maintains both web development and hosting, representing a single point of failure. MSP engagement has eroded as internal staff assumed tasks originally scoped to the provider.
Maturity Level: 2 – Developing
Key Insights & Opportunities: Create vendor scorecards, realign MSP responsibilities, and establish a dual-vendor contingency plan for critical services.
Findings and Recommendations Summary
Focus Area | Recommendation | Expected Outcome |
MSP Utilization | Reassign service ownership to MSP for support and monitoring | Improved efficiency and accountability |
Vendor Diversification | Identify secondary vendors for web development and hosting | Reduced operational risk |
EOL Systems | Replace all unsupported systems | Reduced vulnerability exposure |
Data Management | Complete SharePoint migration and document recovery procedures | Improved resilience |
Service Simplification | Consolidate redundant systems | Reduced cost and complexity |
Asset Management | Implement full lifecycle tracking in ConnectWise | Improved compliance and visibility |
Security Modernization | Enforce SSO and MFA across all tools | Strengthened access control |
Roadmap for IT Recommendations
Phase 1 (0–3 Months)
Reassess MSP engagement and update service scopes.
Begin enforcing MFA and expanding SSO coverage.
Address endpoint protection and encryption gaps.
Activate ConnectWise asset management.
Create tiered administrative accounts.
Phase 2 (3–6 Months)
Complete SharePoint migration and formalize data recovery procedures.
Begin system simplification and inventory reconciliation.
Replace EOL hosts and applications.
Introduce service KPIs and change tracking.
Phase 3 (6–12 Months)
Deploy Intune for endpoint and mobile management.
Conduct full BCDR testing.
Implement a SIEM for real-time threat detection.
Expand vendor portfolio for redundancy.
Phase 4 (12+ Months)
Review progress quarterly, adjusting goals based on maturity advancement.
Launch continuous improvement and staff training initiatives.
Evaluate automation opportunities through Power Platform or ServiceNow workflows.
Overall IT Maturity Rating
Current Overall Maturity: Level 3 – Defined
Target Maturity (12–18 Months): Level 4 – Managed
The organization maintains reliable core IT functions but requires stronger automation, governance, and integration to reach a proactive and data-driven operational model. By executing the roadmap, the IT function can transition from tactical service delivery to strategic enablement.
Conclusion
This assessment provides a clear view of the organization’s current IT maturity and offers a practical roadmap to strengthen technology operations, improve security, and streamline management practices. The results highlight measurable opportunities to enhance efficiency and resilience through modernization, automation, and improved governance. By following the recommendations outlined in this report, the organization can build on its existing foundation to achieve higher levels of performance, stability, and alignment with long-term strategic objectives.
Comments