Quite rightly, security professionals are proud of how much information they hold in their heads. There is no doubt that to be effective you need to have immediate access to lots of different concepts. However, the really effective ones also have a checklist.
First off – the problem. Lots of certificate exams are memory tests and lots of hiring managers believe tests “under pressure” show value. But really this is just a test of how much information you can hold for a short period of time. This is great if you are sitting a closed-book exam. It is also why boot camps work. Now ask yourself – is hearing something & remembering it long enough to answer an exam question a good thing? In practice, to be good at your job you just need to know what you have to look up and be able to look it up quickly. Having a checklist is a definite win.
Checklist vs You?
The next issue is simply ego. We believe we know security so having to stop and follow a guide is somehow embarrassing. Everyone has confidence issues and when we see other people reciting things from memory (for example, dropping into conversation that ISO27001 Annexe A, 9.3 is User Responsibilities), it can be daunting.
Here, the simple thing is to realise it is irrelevant. If someone has memorised Annex A, the CSA CCM, NIST SP800-53 or whatever, be pleased for them but it may help less than you think.
Other than a tiny percentage of people who are truly able to memorise and recall on demand, most people actually remember less than they think. They may truly believe they have memorised Annex A and, if they are good, they will be right 90% of the time.
And there is the point. They will be wrong 10% of the time. This may not matter (getting 9.3 and 9.4 mixed up isn’t really a life or death issue) but when it is important, you need a checklist.
Rather than say “you aren’t good enough to memorise (whatever)”, using a checklist says you are professional enough to realise that it is IMPORTANT that nothing gets overlooked. You realise it is IMPORTANT that every step gets followed. There is a reason why experienced pilots still go through a checklist before every flight.
When do I need a checklist?
So, the simple answer to this difficult question is – whenever it is important that every step is followed or every option is considered. Only you can be the judge of that, but try to avoid letting your ego take over and decide “hey, a true professional would know to do it this way.”
The main examples we recommend checklists are for:
- Incident Response. Here the importance is to make sure the right steps happen in the right sequence, every time, in a high-stress situation. Every collection must be forensically sound and every analysis must be methodological. This is crying out for a checklist response.
- Audit and Assessment. Different importance. Now, this isn’t about the stress it’s about dealing with tedium. Every audit must be repeatable and follow the exact correct steps. You can’t miss anything out and you need to deal with the fact that as you get bored, your mind wanders. Following a checklist can save you. An example of this is the ISO27001 self-assessment checklist we provide.
There will be lots of other situations – some of which you will need to decide for your organisation. Sadly we don’t have a checklist for “situations where you need a checklist”.
Whatever you do, don’t let your ego force you to try to remember things when you don’t need to. Save your brain power to think of innovative solutions to problems and use the checklist to manage your back-end processes.