The Leading Indicators of a Great Info/Cybersecurity Program
It can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you are about to invest in. It is possible to get a good view and to go really deep if you devote the time with on-site reviews, detailed examinations, security testing results, people capability assessments, governance check-ups and so on. You should, of course, do this deep dive when it is absolutely needed. But, what if you can’t do all of that for whatever reason (time, money, skills, access) but you still want more than just a cursory point-in-time view of their security?
What are the leading indicators that you can check for that if they are present then it means there’s a pretty good likelihood all else at a detailed level is going to be reasonably ok? Here are some I use:
Accountable Executive. There is a senior (in the organization hierarchy) accountable leader for security, a CISO or other role - someone at an executive level clearly and indisputably on the hook - with the support of other management - for the effectiveness of the security program.
Experience Depth. That leader and others (e.g. senior engineers, PMs, CIO, CTO, Chief Risk Officer, Head of Audit) have a depth of expertise built up over some years. This isn’t just about time served, the quality of experience is more important than elapsed time.
High Reliability Organization. The organization has at least some of the qualities of a high reliability organization such as preoccupation with failure/incident learning, commitment to resilience and deference to expertise. A signal of this in your conversations with them could be as simple as how intrigued or welcoming they are of your (good) questions.
Independent Challenge. There is some organization (internal or external) that provides a regular independent view of security (be it a risk function and/or an audit function, or external counterparts) that report directly to the Board or one of its committees.
Strategic Architecture. There is an enterprise architecture or design framework that establishes a defensible environment (not just specific controls - but an array of controls shown to be working together), an approach for embedding controls in business and IT processes (ambient control) and an overall zeal for creating secure products by design (shift left).
Transparency. They don’t keep you at a distance and their risk register, controls, incident and issue history is widely shared and discussed within the organization so they can improve. The same incidents / issues rarely recur - they learn and adapt.
Preventative Maintenance. There is a tangible budget / plan for preventative maintenance - system improvements, end of life systems replacement, upgrades, technical debt pay down and so on.
Extended Enterprise. They look at their business and technology processes from the customer (upstream), through their environment, to their supply chain (downstream) - even to their 4th parties (suppliers of suppliers).