When it comes to a cybersecurity checklist, admittedly you could have just a single item on your list: Identify your risks and mitigate them. In some ways, it really is that simple. And it applies to processes as well as technology.

As an example, take a corporate password policy. The risk is weak passwords. The mitigation is a password policy, possibly enforced using technology, that requires strong passwords.

Of course, it would be nice to be able to break up the checklist into subcategories. And that’s what we’ll do here.

Identity & Access Management

Any good checklist should start with how your user accesses your systems. From WATI, “Providing more advanced and secure authentication options is an important way to increase security. Credential compromise and privilege escalation continue to be a primary cause of many data breaches. Users often practice poor password hygiene, including reusing the same password across many applications and choosing passwords that are far too easy to guess.”

1. Use multi-factor authentication (MFA)?
2. Use single sign-on (SSO)?
3. Use the principle of least privilege to determine access?
4. Have an IAM policy in place (including passwords)?

Data Protection

Data protection depends heavily on where the data resides. More and more that’s in the cloud. From Entersoft, “With cloud service providers going all out to woo customers in an age of digital plenty, many companies are unaware that securing data on the cloud is not the service provider’s responsibility.”

5. Classify data accurately?
6. Encrypt data in motion?
7. Encrypt data at rest?
8. Understand your shared data security responsibility in the cloud?

Infrastructure Security

Whether you’re in the cloud or on-premises (or both), you have some infrastructure that needs protection. And of course, now, infrastructure extends to the remote workforce. From Verus Corporation, “Whether your business has returned to the office or made plans for an extended remote work policy, the topic of securing the remote workforce needs to be addressed. With state-sponsored mobile attacks and rapidly growing spear-phishing campaigns, off-network security is critical to protecting your employees, data, and systems.”

9. Use antivirus and firewalls?
10. Use VPN for off-network traffic?
11. Have a patch policy in place?
12. Perform backups regularly?

Security Culture

Creating a culture of security should be a top priority for all organizations, which means you have to get everyone involved. From TechTarget, “It is important to note that cybersecurity hygiene is a shared responsibility — it is not an activity solely for employees. Organizations and security teams, among other departments, must all play their part to prevent the spread of disease.”

13. Company-wide compliance in place?
14. Company-wide security awareness training in place?
15. Continuous security testing happening?
16. Incident response team in place?


If your company develops software systems for yourself or others, then you have an additional checklist. This checklist will assist in turning DevOps into DevSecOps.

17. Secure APIs?
18. Obfuscate source code?
19. Embrace zero-trust architecture?
20. Use threat modeling?

If you want to transform DevOps into DevSecOps at your company, a good starting point is ThreatModeler. ThreatModeler is an automated threat modeling solution that requires essentially no security expertise. With ThreatModeler, you can identify, predict and define threats across the entire attack surface to make proactive security decisions and minimize overall risk. Plus it can help you check off one of the items on your checklist. To schedule a free demo, click here.