All articles
Security Maturity Becomes a Leadership Framework as CX and CISOs Align On Resilience
Wintrust Financial Senior VP Michael Wichmann shares how security maturity guides smarter tradeoffs, keeping customer experiences stable as fraud and AI-driven threats accelerate.
Key Points
Security maturity is a decision-making system that prioritizes resilience over perfection, ensuring trustworthy customer interactions and protecting brand reputation.
Michael Wichmann, a senior security leader at Wintrust, applies the Capability Maturity Model (CMM) to identify the highest risks and strategically decide where to focus resources and what to let go.
This "rinse and repeat" cycle creates a transparent security culture that partners with the business, enabling CX innovation while adapting to threats like Fraud GPT.
In this framework, resilience becomes the critical measure of success because it's not a matter of if, but when you will be hit with something. That resiliency needs to be built in.
Michael Wichmann
Security maturity isn't a fixed goal for leaders. Instead, it's a decision-making system that helps them prioritize, deprioritize, and even deliberately let some things go. The approach focuses on resilience over perfect security, and for CX executives, it means ensuring uninterrupted, trustworthy customer interactions that protect the brand reputation supporting every customer relationship.
To connect the dots between CISO and CX, we spoke with Michael Wichmann, Senior VP and Director of Information Security, Corporate Security, Identity & Fraud at Wintrust Financial Corporation. He believes the CISO's main role is to choose what matters most and build a strong story around it. That often means prioritizing sensitive customer data and critical customer-facing services. "You can’t do everything you want, but you can do anything you want. You just don’t have the time or the resources to do everything, so you have to pick," Wichmann says.
Order from chaos: A formal prioritization system is essential for organizations scaling AI systems. Wichmann applies the five-level Capability Maturity Model (CMM) to deliver real business value through four pillars: resource optimization, risk reduction, stronger governance, and improved ROI. "When I started, the information security team was less than six months old at a $25 billion company, and I was employee number six. Everything was chaotic," he recalls. "At best, we had repeatable processes, but we were nowhere near a defined model." This chaos, if unchecked, directly impacts customer trust, leading to inconsistent or insecure customer journeys.
Permission to let go: For CX leaders, CMM means optimizing security investments to protect customer experiences which reduces friction from security incidents, ensures consistent and compliant customer interactions, and ultimately builds a stronger, more trusted brand. "My heat map shows me the areas I'm most susceptible. The highest risk. I need to spend my time over there," Wichmann explains. Strategic prioritization focuses resources on protecting the most critical customer-facing assets and experiences.
The system runs on a "rinse and repeat cycle," adapting to ever-changing global threats. According to Wichmann, security maturity is fluid. A business pivot can instantly reset a high-maturity area to square one. This reality reinforces the need for proactive security measures and a resilience-focused mindset. For CX, this adaptability is crucial. It lets the organization rapidly and securely deploy new customer-facing features and services, ensuring security never becomes a bottleneck.
The reset button: Wichmann's role in a major digital transformation involving new, customer-facing financial applications is to establish an operating model that works on the security side and the CX side. "Now I'm in charge of all customer authentication, which is something that wasn't even on the table six months ago. I'm no longer 'mature,' but I can adjust based on the new requirements."
Bend, don't break: “Perfection isn't resilience. In this framework, resilience becomes the critical measure of success because it's not a matter of if, but when you will be hit with something. The question is, how much can you bend and not break? That resiliency needs to be built in," Wichmann states. For customers, this means fewer disruptions, sustained trust, and continued data protection even when incidents occur.
The relentless reassessment forces a transparent culture, fighting information hoarding that can lead to team burnout and failure. A transparent, collaborative security team better supports CX initiatives and gets the resources it needs to be successful. Security becomes an enabler, not a blocker, for customer-centric innovation. "My role is to listen to the business and translate their goals into security terms. We have to be on the same page. I have to get on your bandwagon, but I need you to get on mine, too," Wichmann explains. This collaborative mindset is essential for CX leaders. It ensures security proactively partners with customer-facing teams to build secure and innovative solutions.
For CX executives, this means safeguarding customer accounts, maintaining trust in digital interactions, and ensuring the customer journey's integrity against evolving threats. "You have things like 'Fraud GPT,' where you can buy a tool on the dark web to commit fraud for $120 a month. Then you have face ID recognition workarounds where I can take your face, create a moving model of it, and break into your crypto wallet. Where was that two years ago? That's brand new," Wichmann concludes. As threats accelerate, security becomes part of the experience itself. When it works, customers never notice. When it fails, they feel it immediately.
