Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show Name: CISO Insights
Topics: Cybersecurity

One of the hardest challenges in cybersecurity isn’t just defending systems — it’s knowing whether you’re doing enough. In a recent discussion, Steve Winterfeld, Advisory CISO at Akamai, shared insights on a new framework created by Akamai and FS-ISAC to address that exact question: the DDoS Maturity Model.

As Winterfeld explains, the model was designed to help organizations evaluate their readiness against denial-of-service threats and communicate more effectively with their leadership teams. “When I talk to boards, they always ask, ‘How are we doing compared to others in our industry?’” he said. The challenge is translating technical capability into business terms that align with risk appetite and shareholder responsibility.

The DDoS Maturity Model introduces five levels — Initial, Reactive, Proactive, Managed, and Adaptive — that provide a structured way to assess where a company stands.

• Initial represents minimal capability, with only the most basic protections in place.
• Reactive means the organization can respond but will likely experience impact.
• Proactive suggests preparedness, though limited by scale or complexity.
• Managed reflects mature, consistent defenses with defined processes.
• Adaptive, the highest level, describes an organization that learns and evolves based on changing threats.

For boards and CISOs, the model provides a common language for decision-making. It enables leadership to understand what “good” looks like, identify gaps, and allocate budgets strategically. “You can invest $100 or a billion dollars in security,” Winterfeld said. “Neither number guarantees no one gets in. The key is finding the right balance for your organization.”

The model’s real strength lies in its ability to guide discussions about accountability and reasonable expectations. For example, a credit union might reasonably aim for “Proactive,” while a global financial institution should operate closer to “Managed” or “Adaptive.” This approach allows organizations to contextualize their defenses in line with industry norms and risk tolerance.

By offering measurable milestones, the DDoS Maturity Model also helps security teams demonstrate progress over time. It shifts the conversation from fear-based justification (“We could be attacked”) to performance-based management (“We’ve advanced from Reactive to Managed”). That evolution can be critical for earning executive buy-in and sustaining long-term investments.

The framework also complements Akamai’s broader mission of building cyber resilience through shared intelligence. By collaborating with FS-ISAC — which represents more than 5,000 financial institutions worldwide — Akamai ensures that insights from real-world attack data inform practical tools that CISOs can use.

As threat actors become more adaptive themselves, this kind of maturity modeling helps organizations stay aligned with evolving realities. The next frontier, Winterfeld suggests, will be applying similar frameworks across other forms of cyber defense — from API security to incident response readiness.