As audit pressure grows, many teams struggle to turn security frameworks into day to day operational work. At Kiloverse, NIST CSF is the primary framework for maturity assessment, control documentation, and risk based improvement planning across cloud, endpoint, identity, and network security. It also serves as a shared language for technical teams, leadership, and auditors.
Kiloverse formalized this approach during a recent audit cycle to move from one off compliance exercises to continuous control maturity. During their PwC audit in Q3 2025, the team adopted SAMMY to centralize control ownership, evidence collection, and maturity tracking without adding bureaucracy. The result is less manual spreadsheet work, lower audit friction, and audit ready documentation with executive level visibility into security posture.
In this interview, Arturas Kesleris, Head of Security at Kiloverse, shares why they chose NIST CSF, the challenges of implementing it in cloud and SaaS environments, and how SAMMY helps drive measurable, continuous improvement instead of reactive fixes.
In what context are you using NIST CSF?
We are using NIST CSF as the primary framework to structure our security maturity assessment, control documentation, and risk-based improvement planning across cloud, endpoint, identity, and network security domains. It serves as our common language between technical teams, leadership, and auditors.
When did your organization start using NIST CSF?
We formally adopted NIST CSF during our recent security audit cycle as part of a broader effort to professionalize security governance and move toward continuous control maturity rather than one-off compliance exercises.
What were the deciding factors to select NIST CSF?
NIST CSF was chosen because it is risk-based, flexible, widely recognized by regulators and customers, and maps well to real-world security operations. It allows us to prioritize improvements based on business risk rather than purely checkbox compliance.
What are the biggest challenges in implementing OWASP SAMM?
The main challenge is translating high-level framework language into practical, evidence-backed controls across complex cloud and SaaS environments, while keeping documentation continuously updated as systems evolve.
Arturas Kesleris,
Head of Security @ Kiloverse
When did you start and what were the deciding factors for using SAMMY?
We started using SAMMY during the most recent PwC audit (Q3 2025) to centralize control ownership, evidence collection, and maturity tracking. The deciding factor was the need for a structured yet flexible platform that directly supports NIST CSF without becoming overly bureaucratic.
What are your objectives in the use of NIST CSF and SAMMY? What do you hope to achieve?
- Maintain a living security control framework
- Map tools and processes to risk outcomes
- Track maturity improvements over time
- Reduce audit friction and manual documentation
- Drive security investment based on measurable gaps
Ultimately, we want continuous security improvement rather than periodic compliance stress.
What have been the main benefits so far of working with Codific and SAMMY?
“Working with Codific and using SAMMY has made a real difference in how we implement NIST CSF, giving us a clear structure to follow, one central place to manage control documentation and evidence, and a big reduction in manual spreadsheet work, which turned a complex framework into something truly operational.”
What are your three favorite features or functionalities of SAMMY? Can you share why these are important to you and how they have helped you so far?
Control to Evidence Mapping
Maturity Tracking and Improvement Planning
Centralized Control Ownership
Our favorite parts are the control to evidence mapping, the maturity tracking and improvement planning, and the centralized control ownership.
The mapping saves us a lot of time. It links tools, logs, and internal docs directly to specific NIST controls. It also makes audits faster. It makes them easier to defend too.
The maturity tracking helps us stay on track. We can see current state, target state, and progress per control. That gives us real governance value.
The ownership view makes accountability clear. It shows who owns each control. That improves follow through across teams.
Would you recommend the use of NIST CSF to others? And if so, for which kind of situations/organizations would it fit best?
We can strongly recommend NIST CSF with SAMMY for cloud first organizations. It is also a great fit for scaling startups and mid size companies. It helps teams that are moving from ad hoc security to structured governance. It is especially useful for organizations preparing for SOC 2, ISO 27001, or regulatory scrutiny, and for those working with external auditors.
Do you have any advice for those looking to start implementing NIST CSF with SAMMY?
Our advice is to start with an honest current state assessment, not aspirational scoring. We focus first on the highest risk areas, like identity, cloud, monitoring, and data protection. We attach real evidence early, so we build audit readiness as we go.
We treat SAMMY as a living system, not a one time audit tool. We use maturity targets to guide roadmap decisions. That keeps our work practical, measurable, and focused on real improvement.
What role do you think NIST CSF will play in the future for the industry?
NIST CSF has already established itself as a de-facto standard for cybersecurity risk management across many industries, from technology and finance to critical infrastructure and cloud-first organizations. It is increasingly referenced by regulators, customers, auditors, and insurers as a trusted benchmark for security maturity. Rather than being seen as an optional framework, it is becoming the common baseline organizations are expected to align with, providing a shared language for security posture, risk communication, and continuous improvement across the industry.
Do you use, or are you planning to use, any other frameworks other than NIST CSF? Can you tell us how this fits into your situation?
While NIST CSF serves as our primary, risk-based governance framework, we also reference more domain-specific maturity models such as OWASP SAMM for application security and DSOMM for detection and security monitoring maturity. These frameworks provide deeper operational guidance in specialized areas like secure software development and monitoring effectiveness, which complements NIST CSF’s high-level structure. Together, they allow us to maintain a unified security strategy at the governance level while continuously improving technical maturity within specific security domains.
Is there anything we forgot to ask in these questions that you think is important? Anything you would like to add?
The biggest value SAMMY brings is turning security frameworks into practical operational tools. It bridges the gap between security engineering reality and governance expectations, which is where most organizations struggle.