In 1952, Dr. Virginia Apgar invented the Apgar score, a simple method to quickly assess the health of the newborns. A newborn baby is evaluated on five simple criteria on a scale from zero to two, resulting in a score of 0-10. The test consists of assessing the baby's respiratory rate, skin color, irritability, pulse rate. What's interesting about the test is that it was not based on long, scientific studies yet it was virally adopted in hospitals throughout the world.
People always appreciate simple things. I decided to come up with a similar score to assess security of companies based on my experience. The following is my proposal:
The company's security posture is assessed on five criteria:
1. Executive buy-in: It will be impossible to truly secure the company if the board and CEO do not support this. Hyundai Capital CEO Ted Chung said: "IT security needs a philosophy and only a CEO can make that kind of a decision."
2. No weak or default passwords
A large portion of hack attacks succeeded from weak credentials being used.
3. Security awareness
The weakest link in any organization is always people. By training your employees not to download malicious attachments, not to become victims of phishing attacks or social engineering plots, you will significantly increase the security of your organization.
4. Secure coding training
Almost 95% of web applications have security flaws. The easiest way to solve this problem is not to plunk thousands into a web application firewall, but instead to train your developers on secure coding.
5. Harden your systems
Make sure you use a uniform hardened OS image, and have few open ports.
The less doors there are open in your system (aka ports), the less chance of it being hacked.
I believe that if you do well on 1-5, the likelihood of your organization being compromised will be close to nil.