AI First Steps: An Internal Maturity Assessment

Understanding where your firm is on the road to AI adoption can be complicated. Parts of the organization may be eager to get started while the company as a whole seems like it’s operating on paper and pen. There might be security considerations for part of the firm that don’t to every part of the company – does that mean everyone needs to wait while the lowest common denominator catches up?

Conducting an internal maturity assessment for your company can start with some objective evaluation criteria. The table immediately below outlines (in a very simplified way) the most critical points of analysis. You will notice there are only three rows to complete and two columns to complete.

If You Understand Your Data Structure, You Are Halfway There

The term thrown around is “crown jewels,” and it’s not bad. You have to identify your most critical pieces of data and know where they are stored, transmitted, and secured. Document this. Know who’s in charge of maintaining the setup. Move forward from there. What pieces of data are slightly less valuable but still important? Repeat the process.

Every business will define what’s important somewhat differently, but we all have a few things in common. Financial data is important. Customer data is very important, especially PII. Any data that falls into regulated, sensitive, and confidential categories is very, very important.

Security Documentation Solves Multiple Problems

A fair number of security professionals hate putting together documentation, but most of us recognize it’s a necessary chore. Not only does it help illuminate a complex framework for the business (read: the non-nerdy), but keeping excellent security documentation also forces the

firm to keep solid records as we change and evolve. In other words, the business might forget to update the data or process documentation, but updating the security documentation will help remind everyone.

Good security docs will illustrate the type of security applied, where it’s applied, how it’s audited, and by whom. Using scripting techniques, this author has been able to automate auditing an NTFS-permissions flat file system to enable governance without expensive third-party tools. If you do something similar, the audits should be reviewed by multiple internal parties, well-documented, and repeated frequently enough that changes are captured. Audits don’t have to be external, although that might be required for some types of business.

Process Documentation and Ownership

How does your business achieve its goals and deliverables? What systems, strategies, and workflows do you employ to achieve the desired outcomes for your team and clients?

The processes you have already implemented should be broadly documented and owned. You can learn your starting point.

When considering implementing AI, it’s generally with the thought that you will be improving something in your organization. Typically, it’s efficiency or effectiveness. Knowing your current processes before you begin gives you the ability to understand, measure, and adjust your implementation and outputs and have a much more successful AI test run.

Evaluating Your Assessment in the Context of AI

Give yourself marks on each of the items in the table. If you feel you’re up to par in terms of data and security but aren’t quite there on the process, you might judge that your firm is okay with proceeding with a limited AI implementation. Then again, you might decide to wait. After all, you will only know if your test of AI has been successful if you know what you want it to improve and know that you need to know your team’s processes before you begin. 

If your team is not as strong on your data or security maturity assessment, you would be advised to shore up before undertaking an AI implementation.