It is more important than ever to safeguard your business. As the drumbeat of news about breaches continues, the stakes have never been greater. You must stay a step ahead of the cyber criminals.

The battlefield is no longer contained and the battle is daily. One fact remains constant:  there are those inside and outside of your organization who are looking for ways to pilfer and use your data, potentially causing great harm to your organization.

A real information security leader knows who and what they need to protect and have the subsequent strategy, mindset, vision and allies as well as the right tools to survive. But with the field changing almost daily how do you measure true leadership?

If you are an information security leader, or looking to be one, or need to interview a potential leader then I have created a simple (far from perfect) methodology that you can use to test or rank yourself or a candidate. I use it, as do others in the private and public sector, for a quick yet effective assessment. Give it a shot.

There are 25 questions, each with a maximum of 2 points. When you’re done, just multiply your total score by 2 to obtain your percentage.

You may ask what percent makes you a true leader? It’s all about knowing your shortcomings and what’s right for your business.

Questions should be scored from 0 to 2 based on the following responses:

0 = No or Not Applicable

1 = Somewhat or Partial Proficiency

2 = Yes 

1.   Do you think like an auditor? (0/1/2)

2.   Do you think like a hacker? (0/1/2)

3.   Do you know where your high-risk data is stored inside and outside the company? (0/1/2)

4.   Do you know where and when your high-risk data is in transit? (0/1/2)

5.   Do you know who has access to your network – wired and wireless? (0/1/2)

6.   Do you know who has access to sensitive data – employees, contractors, vendors? (0/1/2)

7.   Do you have ongoing metrics that spell out how well your security controls are implemented and working? (0/1/2)

8.   Can you detect and prevent data leakage real-time? (0/1/2)

9.   Do you actively participate in change management? (0/1/2)

10. Do you adequately test your web sites exposed to the Internet, even if they are hosted by a third party service provider? (0/1/2)

11. How well tuned in are you to real-time alerts inside and outside of your network? (0/1/2)

12. How well can you read and interpret Vulnerability Assessment and Penetration Testing reports? (0/1/2)

13. How well do you know ISO 27002, SANS Security Controls, COBIT 5, OWASP? (0/1/2)

14. How well do you comply with standards applicable to your business – PCI DSS, HIPAA, etc.? (0/1/2)

15. Have you led or participated in Incident Response? (0/1/2)

16. How mature is your vendor security model? (0/1/2)

17. Do you know your high-risk vendors? (0/1/2)

18. How well do you perform due diligence of your high-risk vendors? (0/1/2)

19. How comfortable are you with all of the security contractual language in your contracts for your high-risk vendors? (0/1/2)

20. Do you have credibility with your business partners? (0/1/2)

21. Do you engage in higher than normal risk acceptance and/or risk exception? (0/1/2)

22. How comfortable are you with your sensitive data in the cloud (adequate controls and monitoring)? (0/1/2)

23. Do you have relevant Certifications, e.g. CISSP? (0/1/2)

24. Are you knowledgeable about coding best practices? (0/1/2)

25. Are you knowledgeable about networks (e.g. able to read a network diagram)? (0/1/2)

Leave a Reply