Checklust security


"
Seventy Questions to Assess Cybersecurity Risk on a Rapidly Changing Threat Landscapeis an ISACA 'industry news' article by Patrick Barnett. 

Whereas normally I give 'industry news' and checklists a wide berth, Patrick is (according to the article) highly qualified and experienced in the field, so I took a closer look at this one. The prospect of condensing such a broad topic to a series of questions intrigued me. I'm not totally immune to the gleaming allure of well-conceived checklists.

Patrick says:

"There are 70 questions that can be asked to determine whether an enterprise has most defensive principles covered and has taken steps to reduce risk (and entropy) associated with cybersecurity. If you can answer “Yes” to the following 70 questions, then you have significantly reduced your cybersecurity risk. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove all risk, just as there is nothing in the physical universe that does not experience entropy."
Hmmm. OK. Despite the definitive initial statement, I take that introduction as an implicit acknowledgement that there may be more than 70 questions ... and indeed many of the 70 are in fact compound/complex questions, such as "35. Do you prevent the disclosure of internal IP address and routing information on the Internet?" Most of us would instinctively answer "Yes" to that ... but look more closely: the question concerns "IP address" and "routing information", meaning both not either part. What qualifies as "routing information" anyway? And what about other network traffic apart from IP? What is 'disclosure'? What does Patrick mean by 'prevent'? And are we only concerned about 'the Internet'? If you are serious about addressing the information risks relating to NAT and all that (all that), you surely appreciate the naivete of question 35. If this is all Greek to you, maybe not. 

Similar considerations apply to the remaining questions. Real Life (tm) is analogue, not binary. It is complex, interrelated, dynamic, not amenable to simplistic analysis through a series of N binary questions, unless N is an unreasonably large and unbounded number.

Someone (maybe Patrick, maybe ISACA, maybe an AI LLM ...) evidently drew the line at 70 questions for the particular purposes of this article. 70 may be too many, about right, or too few depending on the readers' experiences, situations and needs. There is nothing magic about the number, nor indeed the specific questions: presenting a checklist of 70 questions is simply a technique to set readers thinking about the topic, and in that respect it succeeded with me. How about you? Have you read it yet?

But wait, there's more. The 70 questions are divided into 16 groups, giving the article a certain structure and revealing a little more about the author. Physical security, for instance, merits just 2 questions, whereas security architecture has 13. That, to me, suggests an imbalance or bias since physical security is a fundamental control, underpinning the rest: if physical security is compromised in some way, other controls are more vulnerable. On the other hand, physical security is less complex than security architecture, hence the latter begs more questions to explore the associated risks. Complicating matters still further, security architecture potentially includes physical architecture and design of the facilities among many other aspects - in fact, most if not all of the remaining 15 areas could usefully be considered parts of or relevant to security architecture, making that a diffuse or miscellaneous category. The categories are not entirely distinct with some overlaps, plus gaps (such as the Evidently, my thinking about the checklist extends beyond the actual questions. 

I'll end this blogging with a comment prompted by the added detail and abbreviations in one of just two 3-line questions. Among the assemblage of fairly generic and succinct questions, question 14 stands out to my beady eye (just the one!). Why does Patrick pick out "next generation anti-malware protection" and a "threat intelligence-based security analytics platform with built-in security context", specifically? 

Oh, hang on a moment, who does Patrick represent? There's a rather obvious clue on his employer's website: 


So, it could be alleged that 69 of the 70 questions are mere chaff. Q.14 delivers a social engineering/marketing payload, a chance to promote the author's employer through some brand-related keywords/phrases. A cynical perspective, perhaps, but having spotted the warhead, we can still glean some value by scratching beneath the surface of this thinly-veiled marketing piece. As always, the trick is to think critically about whatever you read, including this blog. You don't have to agree with me. I won't be offended. Comments welcome ...