The question “Are we secure?” strikes fear and dread into the heart of every CISO, whose initial gut reaction is to respond, “Well, that’s a complicated question.” The reason it’s complicated is because security is never really “done.”

Unlike many other professions, a Security Officer doesn’t really know what “done” is. If you talk to a baker and ask, “Is the cake done?”, the answer is fairly straightforward—either the cake is ready to ship out or it isn’t.

For software developers, the answer is a little more complicated, because you have to define what “done” means, but there can also be a bar or level that defines “done.” For security, even if you define or establish a bar that indicates security is “done,” that bar continues to move because the bad guys are always coming up with new ways to get in—which must be responded to. For most security officers, “done” borders on a false sense of safety, which is dangerous.

How Do You Respond?

So, with all that, how do you respond to the executive who asks, “Are we secure?” without appearing like you’ve never thought about it?

Most senior executives are aware that security is a process and adherence to a set of standards. Many executives are also aware that these standards change over time, with constant adjusting, addressing issues, and chasing down incidents. Because of that, most times it’s okay to respond with something more complex than a yes or no answer.

When I’m asked such a question, I like to speak to the improvements. For me, the big three indicators of a security program’s overall health boil down to risk management, incident management, and vulnerability management.

Risk Management:

  1. Has the organization adequately identified the key cyber-security risks?
  2. Is the organization actively managing these risks?
  3. Is there an active pipeline of risk mitigation plans/activities that will be completed over the next 6 to 18 months to improve the overall risk management profile?

For me, these questions—when answered in the affirmative—define a risk program that’s under control.

Incident Management:

  1. Do we have an incident response (IR) team that includes all major departments within the organization?
  2. Do we have an incident response plan that is understood and works?
  3. Does the IR team practice incident response?
  4. Does the IR team have experience handling real-world incidents? Can that team be trusted if/when a major incident occurs?

These are the key indicators of an effective incident response program that can enable action when the time comes.

Vulnerability Management:

  1. Do we have an accurate hardware and software inventory?
  2. Do we perform vulnerability scans/assessments across our server and workstation domains?
  3. Do we actively patch servers and workstations?
  4. Do we actively adjust configurations to account for drift?
  5. Do we have service-level requirements for addressing vulnerability scan deficiencies?

These are the keys to a functional vulnerability management program.

Progression, Not Perfection

You’ll note that these programs do not indicate perfection within the organization. Rather, they indicate that the organization is on a trajectory of continuous improvement. There is and always will be risk, but these metrics focus on how the organization is oriented. To the question, “Are we secure?” these metrics also permit you to say, “We are better than we’ve been before and we have the right processes in place so that we will continue to improve over time,” which I think is a much more satisfying response.

Ivanti offers proven endpoint security solutions that provide the foundational, layered protection from malware and other threats global experts agree create the highest barriers to real-world attacks. Invest some time to learn more about them. You can also request a free demo.

Phil Richards is Ivanti’s Chief Security Officer, with 20 years of hands-on experience as CSO, senior program manager, director of release engineering, and director of architecture. He graduated from Brigham Young University in Information Management and holds an MBA in Finance from the University of Utah.

National Cybersecurity Month: How to be Prepared