US-CERT has posted up a nice list of Questions Every CEO Should Ask About Cyber Risks. I can’t say I disagreed with anything here!
It’s nothing much, but I did look a bit hard at the metrics section where it says, “An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the enterprise.” While I agree with this, most organizations still need to adequately find or be told about a vulnerability first and get it into the analysis and remediation pipeline, before they can start measuring how long it takes to patch it. Or maybe a better wording is to allow for the fact that a vulnerability may have existed before an organization learned of it and started work to patch it. I wouldn’t want someone to think the measure is just from when it was learned to when it was fixed.
I also understand that “industry best practices” can be a little flexible and arbitrary, but I don’t have a great alternative to that beyond constant review and improvement with multiple eyes and documented reasons and justifications for policies and standards.