A top concern is, “do I have a false sense of security?”
In other words:
- Are all my controls working properly? Any malfunctions, like a door that doesn’t close all the way on its own?
- Are any of my controls so overbearing that people are going around them (e.g., using personal email and personal file sharing instead of company services)?
- Are any of my controls inadequate for the risk I’m trying to manage, like having a good business continuity plan that we never practice?
This line of thinking often leads me to consider myself to be a “professional paranoid person.”