LensSee the real state of your insider risk program.
An adaptive insider risk maturity assessment for leadership and domain owners. It measures whether the program works in practice, not just whether one exists on paper.
Program maturity across 9 axes
No structured starting point
Most organizations know insider risk matters. Few have a diagnostic that covers the full program, not just the detection layer.
Fragmented ownership
Insider risk spans Security, HR, Legal, and IT. Each function sees a slice. Nobody has the full picture.
No board language
A maturity score alone does not move budget. Translating program gaps into financial exposure is the missing step.
Regulatory pressure, no roadmap
NIS2, DORA, and GDPR require proportionate, documented programs. Most organizations do not know where they stand.
Not a questionnaire. A diagnostic.
Six structural differences that change what the results are worth.
Measures the whole program
Nine axes, from governance to wellbeing. A detection-only score describes one layer of a nine-layer program.
Evidence confidence alongside every score
Claim vs. proof. A parallel confidence score runs with every maturity score, so results are defensible, not self-certified.
Questions go to the right people
The CISO does not answer DPO questions. Each module routes to the function that can actually answer it.
Delivers the board number
Annual Loss Expectancy per scenario, calibrated to sector and size. The output that moves budget conversations.
A program profile, not just a level
The output shows the shape of the program: which axes are strong, which are weak, and what that means for investment.
Vendor-neutral by design
Belfort Advisory has no monitoring product. Every recommendation is grounded in maturity evidence, not vendor margin.
Nine axes. The full program.
Most assessments invest in one or two. Belfort Lens measures all nine, including two that no other assessment addresses.
Governance
Executive ownership, charter, risk appetite, board engagement
Execution
Operational delivery, program cadence, accountability
Technology
DLP, identity, access management, detection, data controls
Legal & Privacy
Proportionality, lawful basis, DPIA, regulatory alignment
Human Factors
Screening, culture, awareness, workforce lifecycle
Visibility
Logging coverage, behavioral analytics, alert triage
Response
Incident management, forensics, containment, recovery
Friction
Whether your controls create the conditions they aim to prevent
Wellbeing
Psychological safety, burnout signals, workforce trust
Adaptive. Cross-functional. As deep as needed.
Questions route to the right people. Depth adjusts to the organization's readiness.
Scoping
Sector, size, regulatory exposure, and risk priorities shape what follows
Rapid Benchmark
Strategic snapshot across all nine axes. Initial findings and program profile produced here
Deep Dive
Routed to domain owners. Each module goes to the accountable function
Specialist
Auto-surfaces when a domain scores below threshold. Depth only where warranted
CISO / Security
Program governance, threat model, detection, response
Legal / DPO
Monitoring lawfulness, proportionality, investigation governance
HR / CHRO
Culture, wellbeing, lifecycle, awareness
IT / IAM
Access management, data classification, technical coverage
What you say you do.
What you can prove you do.
A confidence score runs alongside every maturity score. High maturity with low evidence is a finding.
A typical self-assessment
Belfort Lens
Evidence Confidence Score (example)
Board-ready outputs. One assessment.
Outputs scale from the rapid benchmark through to the detailed assessment.
Executive Summary
Board-calibrated narrative. Exportable PDF or DOCX. Four key findings, not a technical appendix.
9-Axis Deep Dive
Declared vs. evidence-verified scores for each axis. Radar visualization of the program's shape.
Risk Quantification
Annual Loss Expectancy per insider risk scenario, calibrated to sector and size. The board number.
Action Plan
Vendor-neutral recommendations with effort, cost range, and time-to-impact. Filtered to your risk appetite.
Jurisdiction Readiness
Per-country legal posture for monitoring activities across EU, UK, and global profiles.
Program Profile
The shape of the program, what that pattern means, and what will actually move it.
A common fact base, not another static maturity score.
Illustrative views with fictitious data. The goal is to give internal teams a shared picture that drives decisions.
Board Report & Program Profile
Maturity scores, evidence confidence, financial exposure estimate, and risk roadmap — in one view.
Action Plan & Capability View
Prioritised recommendations, effort estimates, and assessment patterns at investment level.
Built for programs ready to be looked at honestly.
CISOs and security leaders
Building or stress-testing an insider risk program, with outputs that work at board level.
Risk and compliance leaders
Demonstrating insider risk governance to a board or regulator, backed by evidence rather than self-assessment.
Legal and DPO teams
Validating that monitoring is proportionate and legally defensible under NIS2, DORA, and GDPR enforcement.
Organizations under pressure
M&A, workforce change, regulatory audit, or a recent incident. Any trigger requiring an honest view.
Start with the rapid benchmark.
Start with the rapid benchmark. Detailed assessment available. No vendor agenda.
Belfort Advisory · Request Belfort Lens access
© 2026 Belfort Advisory BV. All rights reserved.
LensInsider Risk. Practitioner-built.
Belfort Advisory works with organizations building and maturing insider risk programs. Assessment, advisory, and program design grounded in practitioner experience, not product sales.
belfort-advisory.com →Practitioner-built, not vendor-backed
The methodology comes from experience building insider risk programs, not from a product roadmap. Recommendations are vendor-neutral because Belfort has no monitoring technology to sell.
Built for European regulatory reality
NIS2, DORA, and GDPR enforcement of employee monitoring are all increasing. The Legal axis and jurisdictional outputs exist because proportionality is now a compliance requirement.
The full program, not a slice of it
Insider risk is a people problem with technical dimensions, not the other way around. Belfort Lens measures the full scope in a single adaptive engagement.