1.
I understand which business process/systems are the most critical to my organization's cybersecurity posture.
2.
Our cybersecurity policies are customized to fit the unique needs of our business.
3.
All IT procedures that affect cyber policies are formalized in operational runbooks.
4.
Cybersecurity teams never rely on memory or personal experience to conduct cybersecurity procedures.
5.
IT and cybersecurity teams are incentivized to immediately reveal their procedural mistakes without fear of reprisal.
6.
Business end users do not create cybersecurity policy workarounds.
7.
New IT and cybersecurity hires quickly apply past cybersecurity learnings to their everyday responsibilities.
8.
Our entire team (IT, cybersecurity, end users) routinely questions what they don't understand through a formal process that captures and responds to questions.
9.
Non-IT employees are very aware of and highly involved in my organization's cybersecurity efforts.
10.
Human error, insufficient training, and unfollowed procedures are rarely cited as root causes of cybersecurity incidents.
11.
I am confident our critical cybersecurity processes will not fail, even if a team member makes a mistake.
12.
My organization's business and IT leaders both understand the tradeoffs between cybersecurity and business operations.