If your organization evaluates security practices as part of IT/engineering employees’ performance review, how do you measure that? Can you share any best practices or tips on how to approach this?

Awareness & TrainingSecurity Strategy & Roadmap
4.4k viewscircle icon4 Comments
Sort by:
CIO8 months ago

Some possibilities:
1- Number of vulnerabilities or 100% of system/apps for which they are accountable are current on security patches 
2- Complete all required security trainings
3- Follows standard practice such as limiting access privileges to minimum required to accomplish task
4- If their responsibility, conducts annual review of security-related policies/processes/procedures and confirms up-to-date
5- Recognized and reported/avoided 100% of phishing attempts —or— Caused zero malware/phishing/ransomware incidents (they didn’t take the bait)
6- How quickly they addressed issues identified in a security audit 
7- Ensure technologies for which they are accountable undergo periodic risk mgt reviews. 
8- Ensure systems for which they are responsible have data encrypted at rest and in transit; and that backups are encrypted and immutable. 

Director of IT in Healthcare and Biotech8 months ago

Define clear security metrics; number of security incidents reported and resolved, participation in security training

Post-incident reviews; to learn from security breaches and improve defences

Regular security assessments; VM & PT to identify and mitigate risks, audits ensure compliance with security standards

Incorporate security into processes.

Vice President, Software Engineering in Finance (non-banking)9 months ago

Security practices are not be evaluated at an engineering employee’s level but an engineering organizational level against best practices and policies established by CISO and Cybersecurity teams. One way to test evaluate is use developer tools to enforce security violations like secrets/passwords in code, block release or merge into code repositories, define patterns for secrets discovery in the code and scan periodically. In addition, have a clear guidance on security best practices - in above example suggest to use security Vaults (e.g. Azure Vault, Hashicorp, etc.). In addition, look at Authentication and Authorization standards using code in stances of APIs calling cross platform and session management, and so on are also important to note.

Lightbulb on1
CISO in Software9 months ago

It is not easily performed at the individual contributor level based on my experience versus the senior manager/executive level where there are clear requirements and metrics that can be measured.

Content you might like

Does your organisation have a formalised threat hunting programme? If so - what were the key drivers for you in setting one up and what made it successful?

If not - what is stopping you from setting this up?

Has your company made you feel comfortable about the prospect of returning to the office?

Yes - My company has been clear with the back to office plan82%

No - Messaging around return to the office has been confusing and disjointed17%

I'm looking to go for the Certified CISO certification & training as I'm an aspiring CISO. Any recommendations and additional certifications that I should be doing along with that? I already have CISSP. 

Read More Comments

AI deepfakes have cost the industry over $200M this year. As CISOs, can we scale detection fast enough, or is regulatory pressure the only way to drive adoption?

How often do you audit IAM infrastructure to check for misconfigurations/vulnerabilities?

Quarterly19%

Bi-annually (once every 6 months)51%

Annually24%

Only when needed (after major changes, etc)5%

Other/unsure

View Results