1. Shopping
2. Counting how many different birds you've seen in a year
3. Your favorite movies
4. Things your wife wants you to do around the house on the weekend (honey-do)
5. List of things you want to do before you die (bucket list)
Checklists are not particularly good for:
1. Evaluating cyber risk
2. Demonstrating your creativity
For any given set of security controls, there is a checklist to indicate compliance. Get a perfect score and you're "compliant". But that doesn't mean there is NO risk. Years ago, the measure of success compliance. But all the checklists in the world won't stop:
1. a motivated hacker
2. an upset employee
3. someone circumventing security in the name of getting their job done
4. dumb
Yes, a list is easy to understand, simple and shows completion. But a piece of paper has never stopped someone motivated to do something. So what will help reduce the cyber risk:
1. Proper inventory of IT assets, software/data on them, who has access, and where the data goes.
2. Cyber professionals with intimate understanding of how a lab or office operates
3. Leadership buy-in for supporting the cyber team.
4. Continuous training or awareness of the key items they need to be aware of
5. A third-party evaluation of critical security controls
6. An ongoing internal
7. Evaluation of vulnerabilities and an understanding of the threat surface
8. Donuts
Being graded based on a checklist that doesn't take the local environment into consideration is like assuming everyone wears size 32 pants and 9 1/2 shoes. If the person signing off on the risk assessment of your facility/architecture is so far removed from what they're accepting risk for, then there needs to be additional care/feeding by the cyber professionals to ensure compliance is only the start of their overall cybersecurity program.
So if that means that creating system/lab-specific checklists helps safeguard the data, IT, people and facilities, so be it. See, not all checklists are bad.
Oh, and I just found out another thing checklists are good for:
1. Blog entries
No comments:
Post a Comment