« Dear Everyone, Its 2013 Please Stop Saying Cybersecurity | Main | My favorite part of the Berkshire Hathaway Annual Letter »



Excellent presentation and a few good pointers in there. I really agree with your comment that checklists should be simple and clear. In addition to that, and one point that is often overlooked, is that checklists should assume that the people using them are knowledgeable. In other words, checklists should state /what/ to do, not how to do execute each step.

The one problem that I still need to address with using checklists is checks-and-balances. How do I verify that a step is indeed executed in a meaningful way, and not just to check a box?

As I go through iterations of a daily secops checklist, I am getting closer, but I don't think I'm quite there yet.


@Leune - thanks, as much as checklists try to make things objective, the checks and balance is a tough one. I think part of the answer is that the checklist should at least

1) make the division of responsibility for each task more explicit. This resolves one issue because so many problems result when someone says - but I thought you were doing that.

2) assign some accountability to others on the team, security cannot do everything, some tasks should be carried out by other teams

There is a lot more to this, many subtle issues. I heartily recommend Checklist Manifesto which I am sure will spur more thoughts for you in this direction


The comments to this entry are closed.