At its most simple, his model goes something like this. The foundation -- something that is absolutely critical to a corporate-wide security plan -- accounts for the stuff you can't see, primarily the measurement of or justification for IT security. It's the part of the plan that is not readily visible to many, but can help you educate others about the need for security.
Next is the biggest part -- the structure itself, which basically aligns security with business goals. By showing the business need for security, you can reveal to the rest of your company that secured information is more valuable and that business services can be extended.
Finally, there's the roof, which caps off all the other areas. This layer is all about accountability. By implementing the best security processes and tools you can, you will be able to address compliance demands and, ultimately, help to keep your C-suite out of jail.
Now, the whole point of such a model is becoming proactive. Also, in reaching such maturity, you should be able to accept some risks. For example, you should be able to decide that there are parts of the network that can get hit by an attack while assets and functions that really matter are still robustly chugging along.
Reactionary stances, such as those that depend on patch management, on the other hand, are too tactical. They don't allow IT security executives to look at the bigger picture and become more mature.
But in accounting for all the various problems our readers and other CSOs face, sometimes a tactical route is the best and most obvious move to take. The amalgamation of zero-day threats, compliance demands, and still more problems pushes corporations to address the most pressing challenges first. While a strategic long-term plan is absolutely necessary, so too are tactical ones that enlist the likes of patch management techniques.
You can build a house to the most detailed specifications, thinking that all is just right. But, despite your best efforts, there are always things that come up. And, those unexpected challenges just may prompt you to deviate from your well-thought-out strategy -- perhaps, after some damage is done.