The Ultimate

Security Pros’
Checklist
EXECUTIVE SUMMARY
Each cybersecurity related role can be planned down to a set of tasks that represent the role’s core
duties. These set of tasks can be described as a standard checklist that indicates all the areas for
which the role is accountable to perform.

This document maps the tasks for a selected number of positions – CISO, Director of Security,
Security Architect and SOC manager. Ideally this should be an actionable list to hang over your
desk to be reviewed and checked to ensure all key duties were met.

For each role, we have created a table containing the following fields:

• Task Name
• Task Description – detailed explanation of what the task includes
• Task Frequency - from daily to quarterly
The checklist is generalized and includes tasks that we believe are – or at least should be –
common to most organizations.

Having said that, there is no one size fits all in security and each security pro can modify each
field to adjust it to the specific conditions of his or her environment. No two organizations are the
same and it makes sense to assume there would be a wide variance depending on your industry,
team size, organizational culture, and other variables.

1
HOW WE BUILT THIS DOCUMENT
Cynet serves a global install based of hundreds of customers across all industries, geolocations
and sizes. The information in this document comes from our frequent interactions with
individuals who hold security positions.

Cynet is the provider of Cynet 360, the world’s first Autonomous Breach Protection Platform that
consolidates and automates endpoint, network and user protection across the full security
lifecycle: proactive monitoring and control, attack prevention and detection, and response
orchestration. Cynet 360 technology is complemented and enhanced by CyOps Managed
Detection and Response (MDR) service, which is included in Cynet 360 offering without
additional payment.

By natively integrating all these capabilities into a single platform, Cynet 360 eliminates the need
to manually deploy and integrate multiple point products. Cynet 360 enables security teams to
conduct all their operations from a single console, introducing simplicity, speed and efficiency,
that translate into an unprecedented level of breach protection.

Visit the Cynet 360 website to learn more on how to introduce unmatched simplicity, speed and
robustness to your environment’s security.

2
CISO TASK CHECKLIST
Task Description Frequency
Security status check Get updates on the types and volume of attacks your Daily
organization encounters. Preferably, this is done
through a dedicated dashboard that aggregates and
classifies all the alerts your security products
generate.
Security status check - Review how the various threats are prioritized and Monthly
methodology displayed. Check the actionability and precision of
reevaluation your current dashboard in how well it empowers you
to successfully confront and manage response to
actual threats.
IT status check Get updates and provide your domain expertise Daily
feedback on planned changes in IT apps and
infrastructure that can potentially introduce a new
attack surface to your environment.
Prepare CIO report Aggregate all KPI’s of the security team in a Weekly
standardized report to update your CIO on a weekly
basis. This is a semi-technical report that focuses on
the overall efforts and gains entailed in deployment,
maintenance and operation of both security products
in place and the security team.
Prepare executive Aggregate all threat protection activity performed by Monthly
management report your team to a high-level report that focuses on
showing how potential business risks are addressed
and mitigated as a direct result of investments in
security products and personnel.
New security product Choose, review, shortlist, and actively test new Bi-weekly
evaluation security products, considering parameters such as
ease of deployment, ability of the security team to
efficiently operate it within its skillset and size, and
how it complements other security products in place.
Audit preparation Ensure that the security products and security Daily
personnel positions comply with the regulative
requirements your organization is bound to, as well as
internal security protocols set by either yourself or the
CIO.
Security products Periodic evaluation on the configuration, rules and Weekly
tuning policies of the security products in place. Test

3
 whether exclusions or whitelisting should be applied
due to higher than expected false positive rate, high
disruption to productivity or malfunctioning of a
certain security product.
Review current budget Evaluate the capacity of your team and security Monthly
against actual needs products in place to provide reasonable protection to
your environment, based on the encountered
challenges against actual threats in the recent month,
mapping gaps if needed and assessing the required
investment to address them.
Review and update the Enhance the existing training program, considering Quarterly
security team training professional development across all security
program positions. The changes you apply relates closely to
the reevaluation of IR workflows, ensuring that your
team is well equipped to efficiently confront the
unique threat landscape of your organization.

4
DIRECTOR OF SECURITY TASK
CHECKLIST
Task Description Frequency
Security status check Get updates on the types and volume of attacks your Daily
organization encounters. Preferably, this is done
through a dedicated dashboard that aggregates and
classifies all the alerts your security products
generate.
Security status check - Review how the various threats are prioritized and Monthly
methodology displayed. Check the actionability and precision of
reevaluation your current dashboard in how well it empowers you
to successfully confront and manage response to
actual threats.
IT status check Get updates and provide your domain expertise Daily
feedback on planned changes in IT apps and
infrastructure that can potentially introduce a new
attack surface to your environment.
Prepare CIO report Aggregate all KPI’s of the security team in a Weekly
standardized report to update your CIO on a weekly
basis. This is a semi-technical report that focuses on
the overall efforts and gains entailed in deployment,
maintenance and operation of both security products
in place and the security team.
Prepare executive Aggregate all threat protection activity performed by Monthly
management report your team to a high-level report that focuses on
showing how potential business risks are addressed
and mitigated as a direct result of investments in
security products and personnel.
New security product Choose, review, shortlist, and actively test new Bi-weekly
evaluation security products, considering parameters such as
ease of deployment, ability of the security team to
efficiently operate it within its skillset and size, and
how it complements other security products in place.
Audit preparation Ensure that the security products and security Daily
personnel positions comply with the regulative
requirements your organization is bound to, as well as

5
 internal security protocols set by either yourself or the
CIO.
Security products Periodic evaluation on the configuration, rules and Weekly
tuning policies of the security products in place. Test
whether exclusions or whitelisting should be applied
due to higher than expected false positive rate, high
disruption to productivity or malfunctioning of a
certain security product.
Review current budget Evaluate the capacity of your team and security Monthly
against actual needs products in place to provide reasonable protection to
your environment, based on the encountered
challenges against actual threats in the recent month,
mapping gaps if needed and assessing the required
investment to address them.

6
SECURITY ARCHITECT TASK CHECKLIST
Task Description Frequency
Check new security Oversee the implementation process of security products Weekly
products deployment purchased. Check for any deployment issues that might
status hold back coverage of the environment’s full scope, work
with the vendor on any unique configuration requirements
stemming from your environment's needs and set success
metrics for the product's deployment and operation.
Evaluate security Choose, review, shortlist, and actively test new security Weekly
products for upcoming products, considering parameters such as ease of
project deployment, ability of the security team to efficiently
operate it within its skillset and size, and how it
complements other security products in place.
Network security status Review east-west and north-south security posture based Daily
check on dashboards that aggregates the outputs of firewall,
IDS, IPS, Network Traffic Analysis, Web filtering and
any other traffic-oriented product. The dashboard
provides both direct security value as well as any
operational issues of false positives and
misconfigurations.
Endpoint security status Review the security posture delivered by AV, NGAV and Daily
check EDR products, preferably via an aggregated dashboard,
checking whether there are any malware-based threats
that are not addressed, volume of false positives and any
organization-specific configurations, apply whitelisting or
exclusion rules.
Cloud security status Review the security posture of both cloud workloads Daily
check (IaaS and PaaS) and SaaS applications, preferably via
CWPP and CASB products that alert any data access
violation or anomalous activity that indicates a potential
attack. The dashboard should provide insights into attack
attempt trends as well as user standard activity patterns.
Identity security status Review the security posture delivered by on-prem and Daily
check cloud SSO product and any association between the two.
Check efficiency and operational impact of access policy
as well as violations type and volume.
Application security Review the security posture delivered by application Daily
status check security products such as Web Application Firewall
(WAF), assess the reflected threat landscape and respond
in respective policies and configuration.

7
Integrations status check Review the degrees of the consolidation and Daily
normalization of all security products’ outputs in a central
log aggregation tool (typically SIEM). Ensure that all
signals are integrated in a manner that makes sense and
enables to get a full picture of attacks' root cause and
impact and empower a rapid and efficient incident
response process.
Update CTO Prepare a low-level report on all the deployed security Weekly
technologies in place, detailing any security and
operational issues.

Update CISO\Security Prepare a high-level report summarizing the aggregated Weekly

Director threat coverage of all security products in place, backed
by output data from all products. This report also should
include identified gaps and action items addressing them.
Prepare security program Ongoing intake of current quarter KPIs and research how Bi-Weekly
for next quarter to proactively enhance the security posture of attack
surfaces, increasing the breadth and depth of their
security coverage.
Review and update the Enhance the existing training program, considering Quarterly
security team training professional development across all security positions.
program The changes you apply relate closely to the reevaluation
of IR workflows, ensuring that your team is well
equipped to efficiently confront the unique threat
landscape of your organization.

8
SOC MANAGER TASK CHECKLIST
Task Description Frequency
Active investigations Get updates from your analysts on the status of Daily
update investigations that are currently taking place. This
update should have the investigation status in the context
of root cause, impact and required remediation and
recovery steps.
Update on daily attack Ideally, this should be done via a dedicated dashboard Daily
trends and volume that aggregates all the confirmed attack attempts that
have been identified, thwarted or alerted by the security
products in your SOC, providing you with a standard
attacks baseline to which you can relate when
encountering an unusual spike.
Update on weekly attack Ideally, this should be done via a dedicated dashboard Weekly
trends and volume that aggregates all the confirmed attack attempts that
have been identified, thwarted or alerted by the security
products in your SOC, providing you with a standard
attacks baseline to which you can relate when
encountering an unusual spike.
Reevaluate incident Review the efficacy and velocity of the IR procedures Monthly
response methodologies implemented in your SOC, considering the time and
resources invested in IR during the passing month,
determining what to preserve and what to improve.

Prepare CISO report Prepare a high-level report summarizing the aggregated Weekly
threat coverage of all security products in place, backed
by output data from all products. This report also should
include identified gaps and action items addressing
them.
Prepare executive Aggregate all threat protection activity performed by Monthly
management report your team to a high-level report that focuses on showing
how potential business risks are addressed and mitigated
as a direct result of investments in security products and
personnel
Prepare to audit Ensure that the security products and security personnel Bi-weekly
positions comply with the regulative requirements your

9
 organization is bound to, as well as internal security
protocols set by either yourself or the CIO.
Evaluate new security Choose, review, shortlist, and actively test new security Bi-weekly
products products, considering parameters such as ease of
deployment, ability of the security team to efficiently
operate it within its skillset and size, and how it
complements other security products in place.
Review performance of Evaluate the pros and cons of existing endpoint, Monthly
security products in place network, identity, user and cloud security products in
place, as well as alerting and investigation tools against
the efficacy of the passing month’s incident handling.
Identifying gaps and come up with action items to
address them.
Meeting with IT decision Get updates and provide your domain expertise feedback Weekly
makers on planned changes in IT apps and infrastructure that
potentially introduce a new attack surface to your
environment.
Develop and maintain Enhance the existing training program, considering Bi-weekly
SOC team training professional development across the three analyst tiers,
program as well as specializing in specific fields (for example
packet analysis, debugging Windows processes, malware
reverse engineering etc.). The changes you apply relate
closely to the reevaluation of IR workflows, ensuring
that your team is well equipped to efficiently confront
the unique threat landscape of your organization
Plan and update internal Set up the benchmarks for all SOC related workflows Monthly
SOC auditing procedure that you determine as mandatory for ensuring best
practice operation. At the end of the day, you know your
SOC and your organization better than any external
auditor. While you can determine that certain regulation
requirements must be met, there are unique characteristic
to each environment that you must relate to and address.

10