Welcome! This worksheet is provided for Rational Cybersecurity for Business readers. Readers can apply the book’s guidance to align their cybersecurity programs or projects with the business. Please copy the worksheet from this page into your text editing tool or DOWNLOAD AND FILL OUT OR PRINT THE INTERACTIVE PDF to begin capturing your information.
Instructions: Chapters 1-9 in the book each contain instructions for completing a part of the worksheet. Chapter 10 provides complete instructions for the entire worksheet.
|
ENTER DATE FOR STARTING YOUR WORKSHEET RESPONSES: |
|
1. Scope out Your Priority Focus Areas
|
Priority Focus Area |
Check box if priority |
|
Develop and Govern a Healthy Security Culture |
|
|
Manage Risk in the Language Business |
|
|
Establish a Control Baseline |
|
|
Simplify and Rationalize IT & Security |
|
|
Control Access with Minimal Drag on the Business |
|
|
Institute Resilient Detection, Response, and Recovery |
|
Table 1: Focus Priorities from Rational Cybersecurity for the Business
2. Identity Stakeholders
Fill in the name of the person holding each role identified in Table 2. If a role doesn’t exist or is called something else at your organization then remove, edit, or annotate the row. In the Contact Plan column, note whether the person should be contacted now or later, and who will be the relationship manager. Fill in the Notes column with any known projects, issues, or pain points to cover with the stakeholder.
|
Security-Related Role |
Stakeholder Name |
Contact Plan |
Notes (Projects, Issues, Pain Points) |
|
Board of Directors |
|
|
|
|
CEO, business sponsor |
|
|
|
|
Chief Counsel (Legal) |
|
|
|
|
Chief Digital Officer |
|
|
|
|
CIO |
|
|
|
|
CISO |
|
|
|
|
Chief Privacy Officer |
|
|
|
|
Chief Risk Officer |
|
|
|
|
Chief Technology Officer |
|
|
|
|
Compliance and Audit |
|
|
|
|
Enterprise Architecture (EA) |
|
|
|
|
Human resources (HR) |
|
|
|
|
IAM team manager |
|
|
|
|
IT operations |
|
|
|
|
LOB executives |
|
|
|
|
Security incident response |
|
|
|
|
Security Ops manager |
|
|
|
|
Service manager |
|
|
|
|
3rd party risk manager |
|
|
|
|
Business continuity manager |
|
|
|
Table 2: Stakeholder Engagement Tracking Table
3. Make a Quick Assessment of Current State
For each of the Priority Focus Areas in the Table 3 below, review the sample quick assessment criteria in Chapter 10 or in Chapters 3 through 9. Base your scores on whether you would answer most of the questions with a strong “no” (1), a strong “yes” (5), or something in between.
Response Score Criteria: 1 (strongly disagree), 2 (disagree), 3 (neutral), 4 (agree), 5 (strongly agree)
|
Priority Focus Area |
Today Score (1-5) |
+ 3 months Score (1-5) |
+ 6 months Score (1-5) |
|
Develop and Govern a Strong Security Culture |
|
|
|
|
Manage Risk in the Language Business |
|
|
|
|
Establish a Control Baseline |
|
|
|
|
Simplify and Rationalize IT & Security |
|
|
|
|
Control Access with Minimal Drag on the Business |
|
|
|
|
Institute Resilient Detection and Response |
|
|
|
Table 3: Security Leaders Quick Assessment of Current State of Priority Focus Areas in the Business at 3 Points in Time
Optionally, record any notes on your ratings from Table 3 in the Table below.
|
Priority Focus Area |
Optional Notes |
|
Develop and Govern a Strong Security Culture |
|
|
Manage Risk in the Language Business |
|
|
Establish a Control Baseline |
|
|
Simplify and Rationalize IT & Security |
|
|
Control Access with Minimal Drag on the Business |
|
|
Institute Resilient Detection and Response |
|
Table 4: Optional Notes on Current State Rating
4. Identify Improvement Objectives
If you have selected “Develop and Govern a Strong Security Culture” as one of your Priority Focus areas, enter improvement objectives into table 5. Because this topic crosses two chapters, two Table 5’s (5a and 5b) are provided for security governance and security culture respectively.
|
Security Governance Improvement Objective |
Optional Notes |
Status |
|
Increase CISO and security team communication with stakeholders |
This is an example. Use it or replace it with your own improvement objectives. |
Document date completed, any results. |
|
|
|
|
|
|
|
|
Table 5a: Improvement Objectives for Security Governance
|
Security Culture Improvement Objective |
Optional Notes |
Status |
|
|
|
|
|
|
|
|
|
|
|
|
Table 5b: Improvement Objectives for Security Culture
If you have selected “Manage Risk in the Language Business” as one of your Priority Focus areas, enter improvement objectives into Table 6.
|
Risk Management Improvement Objective |
Optional Notes |
Status |
|
|
|
|
|
|
|
|
|
|
|
|
Table 6: Improvement Objectives for “Manage Risk in the Language of Business”
If you have selected “Establish a Control Baseline” as one of your Priority Focus areas, enter improvement objectives into Table 7.
|
Control Baseline Improvement Objective |
Optional Notes |
Status |
|
|
|
|
|
|
|
|
|
|
|
|
Table 7: Improvement Objectives for “Establish a Control Baseline”
If you have selected “Simplify and Rationalize IT & Security” as one of your Priority Focus areas, enter improvement objectives into Table 8.
|
IT Security Simplification Improvement Objective |
Optional Notes |
Status |
|
|
|
|
|
|
|
|
|
|
|
|
Table 8: Improvement Objectives for “Simplify and Rationalize IT & Security”
If you have selected “Control Access with Minimal Drag on the Business” as one of your Priority Focus areas, enter improvement objectives into Table 9.
|
Access Governance Improvement Objective |
Optional Notes |
Status |
|
|
|
|
|
|
|
|
|
|
|
|
Table 9: Improvement Objectives for “Control Access with Minimal Drag on the Business”
If you have selected “Institute Resilience through Detection, Response, and Recovery” as one of your Priority Focus areas, enter improvement objectives into Table 10.
|
Improvement Objective |
Optional Notes |
Status |
|
|
|
|
|
|
|
|
|
|
|
|
Table 10: Improvement Objectives for “Institute Resilient Detection, Response, and Recovery”
For each of your priority focus areas and improvement objectives, define a metric you can track over the next 30 – 90 days. A few examples are included.
5. Specify Metrics and Track Progress
Use Table 11 to specify metrics for improvement objectives that require recurring activities or processes. Then track improvement objective results against the metrics in the table. Also, remember to go back to Section 3, Tables 3 and 4 to update the Current State Assessment as your cybersecurity-business alignment and security program improve.
|
Priority Focus Area / Improvement Objective |
Metric |
Metric results |
|
|
|
Develop and Govern a Strong Security Culture |
|
at 30 days |
at 60 days |
at 90 days |
|
Increase CISO and security team communication with stakeholders |
#Stakeholder 1 on 1 meetings |
3 |
6 |
11 |
|
|
#Stakeholder team briefings |
|
|
|
|
Improvement objective #2 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #3 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Manage Risk in the Language of Business |
Metric |
at 30 days |
at 60 days |
at 90 days |
|
Improvement objective #1 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #2 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #3 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Establish a Control Baseline |
Metric |
at 30 days |
at 60 days |
at 90 days |
|
Improvement objective #1 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #2 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #3 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Simplify and Rationalize IT & Security |
Metric |
at 30 days |
at 60 days |
at 90 days |
|
Improvement objective #1 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #2 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #3 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Control Access with Minimal Drag on the Business |
Metric |
at 30 days |
at 60 days |
at 90 days |
|
Improvement objective #1 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #2 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #3 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Institute Resilient Detection and Response |
Metric |
at 30 days |
at 60 days |
at 90 days |
|
Improvement objective #1 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #2 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
|
Improvement objective #3 |
Metric #1 |
|
|
|
|
|
Metric #2 |
|
|
|
Table 11: Track Metrics for Improvement Objectives