Questions

Does your organization have a documented Cybersecurity program?

Does your organization have dedicated Cybersecurity staff that hold industry standard certifications (I.E. CISSP, CEH, GSEC, and Security+)?

Does your organization track security metrics today?  If so, does the results help direct your information security program/road map?

Does your organization maintain an up to date asset inventory?  If so, do you evaluate, classify, and inventory assets according to risk?

Does your organization currently utilize security technologies that extend beyond traditional Firewall and/or Unified Threat Management appliances (I.E.  SIEM/Logger/Vulnerability Scanning/Threat Feeds, etc.) ?

Is your organization able to detect and identify real-time security threats?  If so, do you have reports that showcase compliance/due diligence in this area?

Is your organization required to comply to a regulatory body (I.E. HIPAA, SOX, PCI, SEC, FFIEC)?

Is your organization performing routine vulnerability assessments?

Does your organization have security staff assigned to continuously monitor network traffic for insecure behavior?

Does your organization have the ability to detect, audit and report on user access changes or privilege escalation within the network?

Does your staff know when someone is scanning and/or attempting to exploit a vulnerability on a service at your organization?  If so, does this information roll up to a report that is readily available?

Does your organization have the ability to audit and report on policy violations or potential insecure behavior within the network?

Does your organization have the ability to provide logs to an Incident Responder in the event of a Cybersecurity incident or breach?

Does your organization keep raw logs for a specified period of time for forensic purposes?

Does your organization have an incident response experience/team on-site to deal with potential threats and/or breaches to your environment?