Skip to content
BITS

Blog

How we measure SOC maturity for the Mexican public sector

A simple operational matrix — and why generic maturity models often fall short for state and municipal entities.

·BITS SOC team·SOCMDRPublic sectorMAAGTICSI

Conversations about SOC maturity in the public sector usually start with an imported questionnaire: NIST CSF, CMMC, CIS Controls. They're useful as reference, but they carry assumptions — budget, organizational structure, procurement model — that don't apply to a Mexican state or municipal entity.

After several years of operating SOC for public clients, we ended up building an internal matrix that measures five dimensions grounded in local operational reality. We share it here not as gospel but as a starting point for technical discussion.

The five dimensions

1. Effective coverage

Not "what tools we have" but "what assets are under continuous monitoring with defined use cases". The difference between having FortiSIEM installed and having every source parsed, every alert with a validated threshold and every runbook signed off is months, not weeks.

2. Response capacity

What happens when a critical alert lands at 3 a.m. on a Sunday? The answer should be "handled within 15 minutes per runbook X" — not "sent to Juan's inbox, who's back Monday".

3. Regulatory traceability

MAAGTICSI, NIST CSF and INAI guidelines require technical evidence during audits. Maturity is measured in whether that evidence is delivered in hours or whether it's a minor crisis each time.

4. Integration with non-IT areas

A mature SOC talks to legal, comms, HR and the executive office. Not just IT. The question is: is there an incident-communication protocol that includes the first decision-making circle?

5. Continuous improvement

Metrics that trend down (MTTA, MTTR, false positives) or up (coverage, use cases). If 12 months go by without the needle moving, something in the process is broken.

How an assessment starts

A typical diagnostic takes 2 to 3 weeks:

  1. Interviews with IT and user areas.
  2. Technical review of sources, use cases and active SLAs.
  3. Tabletop with a plausible scenario for the entity.
  4. Executive report with prioritized gaps and a remediation plan.

No obligation to contract afterwards. The idea is to deliver something useful even if the entity decides not to move forward with us.

In closing

Maturity isn't a score; it's a practice. The difference is made by operating every day with discipline, not by downloading a questionnaire and filling it in once a year.

See more articles