Sage Advice - Cybersecurity Blog

How Checklists Can Improve Your Cybersecurity Program

checklists-to-improve-cybersecurity-programChecklists are a great tool for keeping us on track. Surgeon Atul Gawande argues in The Checklist Manifesto: How to Get Things Right, that the simple checklist – perhaps one of the most basic organizational tools — can improve the effectiveness of teams and individuals performing complex tasks. When his team introduced a two-minute checklist to eight hospitals as part of a research study in 2008, deaths were reduced by almost half.

It’s important to note that creating checklists to improve your cybersecurity program is not about “checking a box.” Just having a checklist doesn’t help. You need to actually use the checklist for it to be effective. And using checklists will help make your cybersecurity program more efficient and effective over time.

What is a Checklist?

It may seem like a remedial question, but not all checklists are created equal. There are specific attributes of a checklist that make them effective. Let’s take a look at a few.

#1. A checklist is a document and a record.

A checklist is a document that is used to identify and track what tasks are needed to accomplish a specific project. The project can be simple or complex.; The checklist is used to define what steps are needed for the project to be accomplished successfully. It becomes a record when it is completed. A list of items that does not define a specific task-set to accomplish a project is not a checklist.

#2. A checklist uses a specific order of tasks.

In order to accomplish most projects, a series of tasks needs to be done in a specific order. The checklist is used to specify the required order. It serves as a reminder that you must first load, then ready, aim, and finally fire. Often the simplest of instructions are needed to keep a project properly on track. If you get the order wrong, even once, the project can fail.

#3. A checklist drives to a specific result.

The purpose of a checklist is to successfully complete the project. The purpose of the project and how it relates to the rest of your enterprise activities is important to you, but does not belong in your checklist. Each checklist must support a distinct project. A list of items that does not define completion of a project from start to finish is not a checklist.

#4. A checklist is used for repeatable jobs.

The successful completion of repetitive projects is what is important to the enterprise. Projects that are done infrequently benefit tremendously from checklists. A list of items that is only done once is not a checklist.

#5. A checklist is used for assigning work.

The ability to transfer a checklist to others is a key attribute. Because the checklist contains the tasks that need to be accomplished, when it is transferred to another worker there will be no confusion on what is expected. Checklists that are too generic or specialized to the extent that someone else cannot execute the tasks successfully, are not effective or useful.

Benefits of Using Checklists

Now that we know what an effective checklist looks like, let’s take a look at how checklists can help improve your cybersecurity program.

#1. Checklists eliminate gaps.

Creating a checklist allows your organization to identify and remove gaps, and helps improve your team’s performance. For example, if you have multiple people in your organization doing the same tasks over and over again, you may find that each individual is preforming them slightly different. That variation can cause problems. If you assemble the group of individuals and let them define what needs to be in the checklist – what tasks need to be done, in what order – you will most likely find that the individual practices can be harmonized in the most efficient manner. Finding those gaps can help you identify best practices that all team members can buy into. Ultimately, a well-constructed checklist leaves no room for guessing what needs to come next or what steps need to be followed.

#2. Checklists identify inefficiencies.

The construction of a checklist allows your organization to identify (1) Steps that are redundant; (2) Steps that do not provide value; and (3) Steps that can be done with less effort.

Most likely, your organization has been performing the same tasks over and over for a long period of time. Things are done a certain way because it's the way they've always been done. But if you really look at what they're doing, you may find out that a particular step is not needed, and you can drop that step from your checklist.

Checklists provide both a document of what needs to be done and record of how well they have been done. That record comes in handy to make improvements over time.

#3. Checklists provide program metrics.

Keeping records of the work your team accomplishes through checklists provides a baseline for metrics. Checklists can be defined to include details such as the time spent completing a specific task or any errors encountered. Checklists that do not include metric tracking are a missed opportunity.

#4. Checklists serve as your institutional knowledge repository.

Checklists are your functional repository for critical information when it is needed. Having a checklist for a critical project that is well-defined and tested in advance is insurance that the project will get done correctly. Relying on your employees to just remember what needs to be done – also known as tribal knowledge – during a critical event is an invitation to a significant error.

#5. Checklists assist with information sharing.

Checklists that are shared for execution enforce the concept of separation of duties. When a checklist is available for executing a project each team member has an opportunity to perform work more readily because the tasks and expectations are clearly set out. The records created from completing the checklist can be used as an operational diary. Operational diaries allow an organization to create a history that can be easily shared.

#6. Checklists enhance reporting.

Checklists enable easy reporting between team members. If a project is interrupted and must be handed off to another team member, they will know the current state based on the checklist and can pick-up the project with certainty.

The outcome of completed checklists can also be used to establish reports for managers or executive leadership. For example, if you are tracking the time the tasks take, the statistics that flow from that can drive business decisions.

Cybersecurity Risk Assessment & Analysis

Topics: Cybersecurity Culture, Risk Management

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More