In addition to your thoughts on the maturity model, Michael, I think we should work on the maturity model for companies.
3a. Maturity model for organizations. When trying to improve security through a SecOps lens, how should an organization assess their current state? What are the stages that a company can go through? How do you move up the maturity curve? What are the benefits that are achieved by groups at a higher level of maturity and what are the costs? What are the best practices that are associated with each stage? What are the characteristics and the skill sets of the people in each stage?