The Leading Indicators of a Great Info/Cybersecurity Program - Updated
As we see more incidents occurring, whether ransomware, data breaches or fraud, many thoughts turn to how to know whether those we do business with are truly secure - by any reasonable measure. However, it can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you are about to invest in.
It is possible to get a good view and to go really deep if you devote the time with on-site reviews, detailed examinations, reviews of audits, certifications and security testing results, as well as people capability assessments, governance check-ups, ratings examination and so on. You should, of course, do this deep dive when it is absolutely needed. But, what if you can’t do all of that for whatever reason (time, money, skills, access) but you still want more than just a cursory point-in-time view of their security?
To do this you need to look at what are the leading indicators that you can check for that if they are present then it means there’s a pretty good chance all else at a detailed level is going to be reasonably ok. Here are some I use, and the more of these that are present then the higher assurance you will get short of doing a more exhaustive approach:
Accountable Executive. There is a senior (in the organization hierarchy) accountable leader for security, a CISO or other role - someone at an executive level clearly and indisputably on the hook - with the support of other management - for the effectiveness of the security program.
Experience Depth. That leader and others (e.g. senior engineers, PMs, CIO, CTO, Chief Risk Officer, Head of Audit) have a depth of expertise built up over some years. This isn’t just about time served, the quality of experience is more important than elapsed time.
High Reliability Organization. The organization has at least some of the qualities of a high reliability organization such as preoccupation with failure/incident learning, commitment to resilience and deference to expertise. A signal of this in your conversations with them could be as simple as how intrigued or welcoming they are of your (good) questions. You can also often discover this in published post-mortems, blog posts or other materials.
Independent Challenge. There is some organization (internal or external) that provides a regular independent view of security (be it a risk function and/or an audit function, or external counterparts) that report directly to the Board or one of its committees. A view of this can often be found in public disclosures and filings.
Strategic Architecture. There is an enterprise architecture or design framework that establishes a defensible environment (not just specific controls - but an array of controls shown to be working together), an approach for embedding controls in business and IT processes (ambient control) and an overall zeal for creating secure products by design (shift left). This is hard to publicly assess but can be discovered somewhat through conversations with the organization, and in some cases looking at what their teams speak about externally.
Transparency. They don’t keep you at a distance and their risk register, controls, incident and issue history is widely shared and discussed within the organization so they can improve. The same incidents / issues rarely recur - they learn and adapt.
Preventative Maintenance. There is a tangible budget / plan for preventative maintenance - system improvements, end of life (especially stagnant) systems replacement, upgrades, technical debt pay down and so on.
Extended Enterprise. They look at their business and technology processes from the customer (upstream), through their environment, to their supply chain (downstream) - even to their 4th parties (suppliers of suppliers).
Contribution. For larger organizations it also worth assessing whether they are an active participant in the community at large, whether it is their people being visible in publications or research, participating in ISACs, contributing to the care of open source projects, or funding other work. A lot of these activities are usually bottoms-up driven by employees and are therefore a signal of a motivated, enthusiastic and reasonably well-resourced security team.
Vulnerability Reporting Process. They have a visible vulnerability reporting process and participate in one or more bug bounty programs.
Bottom line: It's not always possible to deeply assess organizations. However by looking for these leading indicators you can get some sense of security intent and focus. The presence of these won't, of course, guarantee good security but their absence will be a pretty strong signal that security won't be good and so will merit a deeper assessment if you need to care.