Testing the cybersecurity maturity through self-reported practices

Did you read the story about Johnny the Hunter and the publishing house, the one hit by the FileSilo hack? Well, since Johnny was tasked with ramping up their security, he decided to get some idea about their current practices, and how much the different department managers knew about how to manage their security risks. He wasn’t all that hopeful. The publishing house was a distributed operation and key decision makers were spread around the country, and some also overseas.

Whenever he tried to talk to department managers about security, they told him it was all too technical, and one guy even got really hostile; accusing Johnny of being a paranoid security geek, proclaiming he’d rather be a dumpster diver than work with rats like him.

Johnny the Hunter decided to create a simple web application and have the department managers click through it – basically asking them what practices they had implemented. Perhaps this was easier than talking directly to some of them – like the ones thinking he was a disease-carrying rat of some sort?


Screenshot of Johnny’s app for asking department managers about practices – starting with a few key processes Johnny felt should be in place.

Johnny received a lot of answers, the managers were quite enthusiastic  about this. They had hired in a security expert from a big consulting house the year before, and he had only talked to them in technical terms (which they didn’t really understand), and left them with a large report which was too hard and too long to read. And the consulting house had charged an enormous amount per hour for doing so – and spending a lot of hours on it.

After a few questions, Johnny’s app made some improvement suggestions for the managers. One manager, covering the publishing house’s online tech blog, where freelance writers contributed from all over the world, was thrilled with the suggestions he got.

Here’s the suggestions the manager liked so much!


The managers thought this was really helpful. Johnny was happy for the enthusiastic response; this could pave the way for investing in some really helpful assets – like centralized logging, better network segregation and a team to ensure they could hunt for the real threats.

Why Johnny was dumbing it down

If you work in IT, or in security, Johnny’s app may seem extremely simplistic and dumbed down. Johnny the Hunter, however, did not think so. Why? This is because he is not working with IT professionals, he is working with “getting my own stuff done professionals”, thinking of IT mostly as a necessary evil. Posing the questions like this, in a very simple format, allowed him to connect with the department managers without creating distance, and without forcing them to try to communicate in an unfamiliar language. Breaking down these barriers is necessary in order to get buy-in for the things that the publishing house needs to do – and Johnny the Hunter understands this.

Test drive the cybersecurity maturity app!

If you want to try Johnny’s app, it is available for Safecontrols Insiders – log in or sign up, and you can take it for a test drive. Comments are very welcome – either on this blog post, or in an e-mail as specified in the app’s results page.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s