TL;DR / Benefits:
Whether you have a Cyber Security or Enterprise Security team (Fraud, Cyber and Physical combined) of a 100+ people like some of the banks, or 15 people, or 1 person: you still have someone or a team that is responsible for engaging with business and IT and providing them cyber security advice. Otherwise why do you exist?
You may have too many requests and not enough security people or,
Technology and business may pass you by and you only hear about things as they about to go live, already live or when you get hacked.
Is the business or technology teams just going to who they know or have worked with before, especially over email or Teams/Slack?
Either way you need a way to:
Engage your business and technology teams or make it easier for them to engage you.
Triage their requests so you work on the highest risk items.
This is a set of questions you can ask to do that, a way you can publish e.g. as a ServiceNow or Microsoft or Google docs form so you get engaged in a more structured way and there is an easy way to engage with cyber security (consider adding a link to this to your team’s email signatures and Teams/Slack about me). If you are really good, get this directly into Jira, ServiceNow queue or whatever your BAU and Project work management system is. Run some more automation like High, Medium, Low priority based on the values entered…. or not…
This will also help you to report on what your team is working on, allow you to prioritize and re-prioritize. What is urgent and important (i.e. has a lot of cyber risk), just urgent, not urgent and not important.
You can collect the majority of the information you need upfront or at least get the requester to think about it.
If you have internal charge back you can collect this information or make the requester aware of it.
Encourage self service or at least increase awareness of your policies, standards, patterns, guardrails etc.
If they don’t implement a security control and you need to write up a risk, or you want to do a threat model, this is all required info.
You could give this list to a ServiceNow developer / outsource partner and get them to build it. Save you so much time.
If you don’t want to subscribe, especially the paid subscription for the price of a few coffees per month that is totally tax deductible, let us know what would be valuable to you, it is one question: