Franco T.,
Too Long; Didn't Read
Assess IT maturity yourself: 5 dimensions, 4 stages, 1 clear picture. Find out where your company really stands—before something breaks.
TL;DR
Most companies think their IT is fine – until something breaks. The IT maturity check helps you honestly assess, across five dimensions, where you really stand: strategy, governance, security, operations, innovation. The pattern we see most often among Swiss SMEs: solid in operations, weak in strategy – and that exact gap costs the most. Do the self-assessment and see where you should start.
Imagine asking your IT manager: "Where do we actually stand?" Nine times out of ten, the answer is: "Pretty good, we don't have any major problems."
And most of the time, that is even true. No major problems. Everything runs. Until it doesn't.
We see this regularly: A company calls us after a security incident nearly escalated. Or because IT costs suddenly sit 40% over budget and nobody knows why. Or because a new system is about to be introduced and only now does it become clear that there is no clear IT decision-making structure.
The problem is not negligence. The problem is the lack of a status check.
"No problems" is not an IT strategy. It is hope.
What IT maturity really means
"IT maturity" sounds like a consultant framework. Like CMMI, ISO audits, PowerPoint slides that cost three months of project time.
That is not what we mean.
IT maturity describes, very pragmatically: How well does your IT support, protect, and further develop the company – not as an end in itself, but as a business resource?
To assess this, we look at five dimensions. Not fifteen. Five. And for each there are four levels – from reactive to strategic. That is enough to get an honest picture.
(Anyone looking for an enterprise certification project is better off with other consultants. We care about what your company actually needs.)
The five dimensions – and what they reveal
1. Strategy: Does IT know where the company is headed?
This is the most underestimated dimension.
It is not about whether you have an IT manager. It is about whether IT has a roadmap – and whether that roadmap has anything to do with the company's goals.
Level 1 – Reactive: IT responds to requests and problems. There is no roadmap. Decisions are made under pressure.
Level 2 – Defined: There is an IT plan. But it was written 18 months ago and is hardly up to date anymore. IT and management rarely talk about technology strategy.
Level 3 – Managed: The IT roadmap is reviewed annually and aligned with the business. There is a budget with a clear list of priorities.
Level 4 – Strategic: IT is an integral part of corporate planning. New business initiatives are developed together with IT, not handed over to it afterwards.
Self-check: When was the last time you spoke with your management about the IT roadmap – not about an acute problem, but about strategy?
2. Governance: Who decides what – and why?
Governance sounds bureaucratic. But it is not.
It is about one simple question: If a team wants to buy new software, what happens then? Does someone just buy it? Does someone ask IT? Is there an approval process? Does anyone know what is already in place?
Level 1 – Reactive: IT decisions are made ad hoc. Every department buys what it needs. Nobody has the full picture. IT often only learns about new tools when something stops working.
Level 2 – Defined: Basic processes exist. Large investments are coordinated. But smaller decisions are still chaotic.
Level 3 – Managed: Clear decision rules for IT investments. Budget ownership defined. An IT inventory exists and is maintained.
Level 4 – Strategic: IT governance is embedded in corporate management. The board or leadership team receives regular structured IT reports.
Self-check: Does anyone in your company know which SaaS tools are currently being actively paid for – all of them?
(If the answer is "roughly": that is Level 2.)
3. Security: Do you know what happens if it really happens?
Security has a problem: Everyone thinks they are safer than they really are.
Not because they are lying. But because they think in compliance terms: "We have a firewall. We have antivirus. We do regular updates." All of that may be true – and still often not enough.
Security maturity does not measure the number of tools. It measures resilience.
Level 1 – Reactive: No incident response plan. Security happens on demand. Employees open phishing emails because there is no training.
Level 2 – Defined: Basic protection in place (MFA, backup, antivirus). But no documented incident response process. Security events are noticed – but the response is improvised.
Level 3 – Managed: Regular security reviews. An incident response plan exists and has been tested once. Employees have been trained.
Level 4 – Strategic: Security is proactive. Threat modeling based on the business model. Regular penetration tests. A clear communication chain in an emergency, all the way to the board of directors.
Self-check: What would be the first step in your company if a ransomware attack happened tonight? Is there a written plan for that – or would someone start googling?
(We do not say this to scare you. We have seen too many situations in which the answer was "we would probably..." That is Level 1.)
4. Operations: Is your IT stable – or is it running by chance?
Operations is the dimension where most Swiss SMEs are strongest. Systems run. Help desk tickets are resolved. Backups are made (most of the time).
But "runs stably" and "runs well" are not the same thing.
Level 1 – Reactive: Problems are solved when they arise. No documentation. If the one person who knows everything is on vacation, the company grinds to a halt.
Level 2 – Defined: Basic documentation exists. SLAs with external providers are defined. But monitoring is patchy, and automation is barely present.
Level 3 – Managed: Systems are actively monitored. Incidents are measured and analyzed. Routine tasks are automated. Documentation is up to date.
Level 4 – Strategic: Operations are largely self-healing. Metrics are communicated regularly to the business. IT operations are scalable without a proportional increase in cost.
Self-check: If your IT person were to fail tomorrow – how long would it take before someone else knows what to do?
5. Innovation: Can your company adopt new technology?
This is the dimension that sparks the most discussion – and is measured the least.
Innovation does not mean "have we already tried AI." It means: How quickly can your company evaluate, decide on, and deploy a new technology – if it actually makes sense?
Level 1 – Reactive: New tools emerge from individual initiatives. No process for evaluation. IT often only learns about them after the purchase.
Level 2 – Defined: Occasional evaluations. Pilot projects are started, but there is no structured path from pilot to rollout.
Level 3 – Managed: Regular technology radar. Clear criteria for make-or-buy. Pilot projects have a defined go/no-go decision.
Level 4 – Strategic: Innovation is part of the IT roadmap. There is a budget for experiments. The company systematically learns what works – and what does not.
Self-check: In the last 12 months, has there been a technology pilot that came out of a structured process – and not from a vendor demo?
The pattern we see in Swiss SMEs
We have done this often enough now for a clear picture to emerge.
Most Swiss SMEs are at Level 2-3 in operations. Systems run. Someone takes care of them. There are processes – not always documented, but they exist.
But what about strategy and governance? Almost always Level 1-2. No IT plan aligned with the business. No clear decision rules. IT reacts instead of shaping.
And that exact gap is expensive.
Because operational stability is misleading. The company runs. Nobody complains. And then a project comes along that should really take three months – and takes a year. Not because of poor technology. But because nobody could decide, nobody had the budget, nobody knew the roadmap.
(We call this the "Level 2 trap": Everything works well enough that nobody starts making it fundamentally better.)
We uncover this in every IT audit – what we see and why, we described in this article about our IT audit experience.
How to deal with your result
If you have done the self-assessment, you will probably see an uneven picture. That is normal. No company is at the same level in all five dimensions.
The most important insight: Do not tackle everything at once.
Anyone who tries to improve five dimensions at the same time improves none of them. There is no time, no budget, and no focus – and after six months, the status quo is back.
Our approach: Fix the weakest dimension first. Not the most interesting one. The weakest one.
If strategy is at Level 1, it does not help to move operations from Level 2 to Level 3. The reason: without strategic alignment, you improve the efficiency of the wrong things.
If governance is at Level 1, all other improvements are slowed down by missing decision structures.
A practical sequence for most SMEs:
Bring strategy to Level 2 (IT roadmap aligned with the business)
Secure governance (who decides what, with which budget)
Bring security to at least Level 2 (incident response plan, basic protection, training)
Stabilize and document operations
Structure innovation
That sounds like a lot. But it is not, if you proceed step by step. An honest IT status assessment with a clear process often takes no more than a week.
What this looks like in practice – and why many IT decisions already fail in the process – we described in this article. And anyone who wants to know which warning signs point to acute problems will find them in our post on the 5 warning signs before every IT disaster.
The three takeaways
"No major problems" is not a benchmark. The most expensive IT problems do not come from mistakes, but from a lack of visibility. Anyone who has never explicitly assessed where they stand also does not know where they are heading.
The operations-strategy gap is the most common pattern. Swiss SMEs are often more competent operationally than they think – but weaker strategically. This asymmetry is the main reason why IT projects fail or take too long.
Focus beats completeness. Moving one dimension from Level 1 to Level 2 creates more real progress than lifting five dimensions by half a level each. Prioritize the weakest point – and start there.
If you are not sure which dimension is actually your weakest – or if the result of your self-assessment needs concrete next steps: That is exactly what our IT Strategy Advisory is for. No standard analysis, no 100-page report. Just a pragmatic picture of where you stand – and what is worth doing next.
