The Leading Indicators of a Great Info/Cybersecurity Program. A thread.
[see also : bit.ly/2TNgkb0]
It can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you are about to invest in.
1/13
[see also : bit.ly/2TNgkb0]
It can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you are about to invest in.
1/13
It is possible to get a good view and to go really deep if you devote the time with on-site reviews, detailed examinations, security testing results, people capability assessments, governance check-ups and so on.
2/13
2/13
You should, of course, do this deep dive when it is absolutely needed. But, what if you can’t do all of that for whatever reason (time, money, skills, access) but you still want more than just a cursory point-in-time view of their security?
3/13
3/13
What are the leading indicators that you can check for that if they are present then it means there’s a pretty good likelihood all else at a detailed level is going to be reasonably ok? Here’s some I use:
4/13
4/13
1. Accountable Executive. There's a senior (in the org. hierarchy) accountable leader for security, a CISO/other role - someone at an executive level clearly & indisputably on the hook - with the support of other management - for the effectiveness of the security program.
5/13
5/13
2. Experience Depth. That leader and others (e.g. senior engineers, PMs, CIO, CTO, Chief Risk Officer, Head of Audit) have a depth of expertise built up over some years. This isn’t just about time served, the quality of experience is more important than elapsed time.
6/13
6/13
3. High Reliability Organization. The organization has at least some of the qualities of a high reliability organization (bit.ly/37n1QSV) such as preoccupation with failure/incident learning. A signal of this could be as simple as how welcome your questions are.
7/13
7/13
4. Independent Challenge. There is some organization (internal or external) that provides a regular independent view of security (be it a risk function and/or an audit function, or external counterparts) that report directly to the Board or one of its committees.
8/13
8/13
5. Strategic Architecture - an enterprise architecture or framework that establishes a defensible environment, an approach for embedding controls in business and IT processes (ambient control) and an overall zeal for creating secure products by design (shift left).
9/13
9/13
6 Transparency. They don’t keep you at a distance and their risk register, controls, incident and issue history is widely shared and discussed within the organization so they can improve. The same incidents / issues rarely recur - they learn and adapt.
10/13
10/13
7. Preventative Maintenance. There is a tangible budget / plan for preventative maintenance - system improvements, end of life systems replacement, upgrades, technical debt pay down and so on.
11/13
11/13
8. Extended Enterprise. They look at their business and technology processes from the customer (upstream), through their environment, to their supply chain (downstream) - even to their 4th parties (suppliers of suppliers).
12/13
12/13
Bottom line : not only are leading indicators a potentially efficient way of assessing risk, they are perhaps more of a reliable indicator to assess the sustainability of an organization's security program. What ones would you add?
13/13
13/13
