Business owners (CEO), finance/risk managers (CFO), and operations teams should follow the tenets Trust and Verify for cybersecurity. Trust and verify has been a standard for accounting and auditing firms for decades. Trust and verify is also a standard for governance risk and compliance teams.

I strongly suspect, though, that businesses are not consistently following trust and verify principles for their cybersecurity. CEOs and CFOs trust, sometimes without a basis in facts, the network and security teams’ statement “We are secure.”

This leads to three alternative business situations:

1. The security leader (CISO) has the experience and the metrics to prove that the organization is secure. In this case, the company measures the success of its security controls and documents and tests its policies and procedures. The company embraces an external verification to confirm internal team expertise and its security posture.
2. The security leader (CISO) states the organization is secure without metrics. The company acknowledges that it could improve its security posture. It documents its processes for many best practices, but not aways. The security leader welcomes an external verification to support requests for funding, products, and staffing. The organization embraces consulting expertise to help build a better security posture.
3. The security leader (CISO) states that the organization is secure but can’t produce any documentation, processes, or testing results. The security leader advocates against documentation or process or testing and perhaps even delays or stonewalls an external review. All trust and no verification should be a warning sign to management that their organization is not properly protected.

Owners should be hesitant to trust when there is no verification. The effective security leaders we have consulted with have been proud of their work and happy to demonstrate the defense capabilities they have established.

It’s quick and cost-effective to have an external vendor perform a high-level security posture review that includes assessment of your security repository holding documentation and processes.

Oops! You don’t have a repository? You don’t have access to an encrypted location with security and network key applications and passwords? Consider: Are you being held hostage by one person in the organization with “Keys to the Kingdom?”

Private message me @ to discuss strategies to align leadership statements on security posture with verification in 15-30 minutes.

For more information, visit Shambliss Guardian.

Don’t Miss the DSP Cyber Summit on October 10th!

Join us on Thursday, October 10th for the DSP Cyber Summit, where industry leaders will dive deep into the practical application of Trust and Verify in cybersecurity. Don’t miss out on learning how to strengthen your organization’s security posture! Click the button below and secure your spot today.