“Wise is not the one who knows all the answers but the one who knows what questions to ask”
More than an article, this is a conversation starter for the CISO and his/her team: What are your answers for this list of essential question that any information security department must deal with?
Obviously there are many other questions, these are just the foundation for a security program.
These questions are ordered, it will be hard to answer the last ones without having answers for the first ones.
For your organization:
- Who are the clients of the information security team?
- What are the drivers for security? This will include Business, Technical and Compliance aspects.
- What are the business significant security objectives? Have these been agreed with the clients of the information security team?
- How do you model your organization and the systems it relies on?
- What are the third parties you exchange information with?
- What is the list of assets that need to be protected? Who owns them? Who controls them?
- What are the threats or risks?
- What is the list of security controls or processes you have in place? What is the success criteria for each? How frequently do you check that they are not just effective but successful?
- What is the list of non-compliances that need to be remediated?
- What is your level of compliance?
- What is the list of vulnerabilities that need to be remediated?
- What is your level of security (or risk)?
- How do you maintain your knowledge base?
- What is your level of security maturity? This measures not your security but your ability to maintain and improve your security.
- How do you report the activity of the information security team?
- How do you report the value of security to your clients?
- How do you prove to third parties your level of security?
- What do you plan to do to improve the level of security (or decrease risk)?
How easy or difficult was for you and your team to formulate an answer?
If you find these questions too easy, either you are truly great CISO (please share answers) or your suffer a severe case of Duning-Kruger. I will leave to those readers to find out which.
Source: Questions a CISO should be able to answer
