(Depending on response, address missing elements: external threats, natural disasters, power out, hardware failure, fumbling fingers, network-based attacks, insider threats, APTs. Acknowledging and not further addressing some particular threat is acceptable, ignoring it completely is not.)
How frequently do you drill for threats / failures? Practices such as Netflix's "chaos monkey" are close to best of class. Not at all is unfortunately the norm. Here I'd like to see some positive answer, but a widened eyes "oh, we should do that" would be encouraging, Dismissal would be many red flags. People respond to disasters according to their training and drilling, and failure to do either leads to poor response.
What is your professional development process? Name specific programmes / practices for entry-level to senior staff.
"What's a really good day?"
"What's a really bad day?"
Who's been promoted recently? Why?
What reasons have you had for making staff redundant?
What circumstances does it cover?
What is your threat model?
(Depending on response, address missing elements: external threats, natural disasters, power out, hardware failure, fumbling fingers, network-based attacks, insider threats, APTs. Acknowledging and not further addressing some particular threat is acceptable, ignoring it completely is not.)
How frequently do you drill for threats / failures? Practices such as Netflix's "chaos monkey" are close to best of class. Not at all is unfortunately the norm. Here I'd like to see some positive answer, but a widened eyes "oh, we should do that" would be encouraging, Dismissal would be many red flags. People respond to disasters according to their training and drilling, and failure to do either leads to poor response.
What is your professional development process? Name specific programmes / practices for entry-level to senior staff.
"What's a really good day?"
"What's a really bad day?"
Who's been promoted recently? Why?
What reasons have you had for making staff redundant?
What reasons have staff had for leaving?