In an ER when a new patient presents, doctors need to quickly assess the patient’s health and determine what needs to be done. Their survey checklist of mental state, airway, breathing, and circulation is intended to ensure that the most critical issues are identified and treated first, and that vital functions are not neglected. If you are a CISO, CIO, CEO or board member, how can you quickly assess whether you have a healthy security program?
The traditional approach of engaging outside consultants and spending weeks and hundreds of thousands of dollars is one approach if you can afford it — the equivalent of checking a possible car crash victim into the Mayo Clinic for a week long battery of tests (during which time they may bleed to death). Another is to use the heuristic questions below to quickly assess whether the critical functions of a security program are being performed, and base your judgment off of that. Based on my experience as a CISO with over 20 years experience, I believe this will provide you with just as accurate a measure of the overall health of the program, in a far shorter time, and with much less confusing jargon to wade through.
The one-minute health check is intended to give a senior leader without in-depth knowledge of a security program a quick way to gauge whether the program is performing effectively. Using the Missouri saying of “Show Me” as the foundation, conducting the health check is as simple as asking the individuals responsible for the program (start with the CEO) to answer yes or no to the following questions. Answer “yes” if it is fully implemented and documented, “no” to anything less. Most important, if the answer is “yes”, ask for the written proof that it is so in terms of documentation, diagrams, systems, policies, etc. If the answer of “yes” cannot be verified, then it is not “yes”. If the answer is “no”, ask for an explanation in terms of what is not done — it is not fully documented, and/or it is not fully implemented and what is being done about it.
Health Check Questions
- All relevant information in the organization is identified, classified and managed.
- All information processing assets (software, SaaS, servers, endpoints, network devices, etc) are identified and managed.
- Threats to these assets are identified and actively monitored, including regulatory and contractual obligations.
- Risks to assets are identified, treated and actively tracked.
- Controls to counter threats have been determined, risk prioritized and implemented.
- Metrics are gathered and reported on a regular basis on the effectiveness of controls.
- Plans are prepared and practiced to respond to the most likely incidents.
- Staff are regularly informed and trained on their information security responsibilities, commensurate with their role.
- Assessments of the program and tests of the environment are conducted on a regular basis and used to update the program as appropriate.
- A qualified person has been appointed to lead and manage the above, with sufficient authority and resources to achieve these objectives.
Grading the results
The health check questions break into two major groups. Questions in the first group are foundational (3, 4, 5, 8 and 10) — all security programs must meet these in order to be effective. Questions in the second group (1, 2, 6, 7 and 9) are indications of a more mature security program.
In scoring the responses received to the health check, it is important to consider more than just the overall percentage of “yes” responses, but also consider which group they fall in. What you want is to see at least 80% “yes” to the foundational questions, with whatever percentage “yes” to the maturing questions being an indication of the overall program maturity.
Even more important than the “yes/no” answers and associated documentation, is the discussion that they should prompt between the questioner and the responder regarding the answers. Why the person answering feel’s the answer is “yes” or “no”, and how well they can explain and defend their answers will go much further in showing the true state of the program than wading through a jargon-filled 500-page report. In that regard, using these questions and their answers can make for an informative and likely lively discussion between the CISO and the board regarding a company’s security posture — much more so that the traditional eye-glazing powerpoint presentation.
One of my biggest frustrations over my career has been the “3 Monkeys” attitude (Hear No Evil, See No Evil, Say No Evil) of some boards in regards to discussing cyberrisk and security, and the stage management that goes into making sure that nothing controversial is raised to the board. If this does not describe your board, then this is a tool that can help both the CISO and the board have an honest discussion about where they are and where they want to be.