The number one question I get as an Outsourced IT Provider is “am I secure?” This question is difficult to answer because I am on the outside looking in. I am not your IT Provider. Can’t I just provide a security audit? Yes, but it won’t help you actually be any more secure. An audit will simply cost you thousands of dollars, and bring to the forefront the problems your IT resource either (1) didn’t know were problems, or (2) have been ignoring because they can’t fix them. Even then, an audit will give you a sense of your security concerns today… but what about tomorrow, or a week from now?

The world of security is changing in real-time, faster than you can imagine. Security is not just about best practice anymore, response matters too. Your IT resource must be as nimble as the bad actors. A list of IT vulnerabilities from weeks ago when an audit was completed will not make you secure.

Instead, organizations like the Center for Internet Security have published helpful guidelines for security professionals to follow. Authorities like the California Attorney General have pointed at the CIS 18 as a reasonable standard for security. Yet again though, these are highly technical and difficult for many business leaders to properly chaperon.

Given this, I developed a targeted set of 3 questions to serve as a canary in the coal mine. These questions are a test to see if an IT environment might be compliant with the 18 controls.

The goal is NOT to ask the IT resource to start doing these things. We are simply testing to see if there is evidence that the much harder to complete (and assess) work has already been done. The things these questions ask for are a reasonable outcome of properly deployed controls. If a business answers NO to any of these questions, the result should not be to undertake a project to turn them into a YES. These are leading indicators that something essential to security is not being done. I cannot say that you are definitely secure, but you pass the first test. If the answer to any of these is NO, then I can say that it’s time for swift and dramatic action to address cyber security.