Halkyn Security Blog
Specialist Security & Risk Management Consultants

Checklist or your memory, is one better?

Checklist to support your memory.

Use a checklist, don’t rely on your memory.

Quite rightly, security professionals are proud of how much information they hold in their heads. There is no doubt that to be effective you need to have immediate access to lots of different concepts. However, the really effective ones also have a checklist.

First off – the problem. Lots of certificate exams are memory tests and lots of hiring managers believe tests “under pressure” show value. But really this is just a test of how much information you can hold for a short period of time. This is great if you are sitting a closed-book exam. It is also why boot camps work. Now ask yourself – is hearing something & remembering it long enough to answer an exam question a good thing? In practice, to be good at your job you just need to know what you have to look up and be able to look it up quickly. Having a checklist is a definite win.

Checklist vs You?

The next issue is simply ego. We believe we know security so having to stop and follow a guide is somehow embarrassing. Everyone has confidence issues and when we see other people reciting things from memory (for example, dropping into conversation that ISO27001 Annexe A, 9.3 is User Responsibilities), it can be daunting.

Here, the simple thing is to realise it is irrelevant. If someone has memorised Annex A, the CSA CCM, NIST SP800-53 or whatever, be pleased for them but it may help less than you think.

Other than a tiny percentage of people who are truly able to memorise and recall on demand, most people actually remember less than they think. They may truly believe they have memorised Annex A and, if they are good, they will be right 90% of the time.

And there is the point. They will be wrong 10% of the time. This may not matter (getting 9.3 and 9.4 mixed up isn’t really a life or death issue) but when it is important, you need a checklist.

Rather than say “you aren’t good enough to memorise (whatever)”, using a checklist says you are professional enough to realise that it is IMPORTANT that nothing gets overlooked. You realise it is IMPORTANT that every step gets followed. There is a reason why experienced pilots still go through a checklist before every flight.

When do I need a checklist?

So, the simple answer to this difficult question is – whenever it is important that every step is followed or every option is considered. Only you can be the judge of that, but try to avoid letting your ego take over and decide “hey, a true professional would know to do it this way.”

The main examples we recommend checklists are for:

  • Incident Response. Here the importance is to make sure the right steps happen in the right sequence, every time, in a high-stress situation. Every collection must be forensically sound and every analysis must be methodological. This is crying out for a checklist response.
  • Audit and Assessment. Different importance. Now, this isn’t about the stress it’s about dealing with tedium. Every audit must be repeatable and follow the exact correct steps. You can’t miss anything out and you need to deal with the fact that as you get bored, your mind wanders. Following a checklist can save you. An example of this is the ISO27001 self-assessment checklist we provide.

There will be lots of other situations – some of which you will need to decide for your organisation. Sadly we don’t have a checklist for “situations where you need a checklist”.

Whatever you do, don’t let your ego force you to try to remember things when you don’t need to. Save your brain power to think of innovative solutions to problems and use the checklist to manage your back-end processes.

Similar posts
  • Memory analysis in incident response ... Incident response is often a stressful, high-pressure situation. Responders are desperately trying to claw together information. All around them the world is collapsing. Furthermore, everything important seems to be deleted or obfuscated. Yet it is not all doom and gloom. They have memory analysis. Life can be hard for the incident responder. You are faced [...]
  • Threat Hunting – essential for ... Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake. Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an [...]
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]

Leave a Reply

%d bloggers like this: