VistaClair questionnaire

Answer every question based on observed reality. This flow has 20 questions and takes about 8 minutes.

Language

EN FR

How many security initiatives are currently active and consuming meaningful effort?

0 to 1 2 3 4 to 5 6 or more

Given current people, attention, and dependencies, how many of these initiatives can realistically progress in parallel without quality loss?

1 2 3 4 or more

How often does urgent operational work prevent planned security initiatives from progressing as intended?

Rarely Occasionally Regularly Frequently Almost constantly

Of your active security initiatives, how many have produced observable changes that reduced exposure or increased recoverability in the last 90 days?

None Fewer than half About half Most All

When was the last time a security initiative was explicitly paused or stopped to reallocate focus or capacity?

Never More than 12 months ago 6 to 12 months ago 3 to 6 months ago Within the last 3 months

If 2 to 3 current security initiatives were paused, how likely is it that this would immediately create critical exposure?

Almost certain Likely Unclear Unlikely Very unlikely

Is there a role with clear authority to set security priorities, explicitly defer work, and accept risk trade-offs?

No such role exists Role exists, authority unclear Role exists, limited authority Role exists, clear authority Role exists, authority consistently exercised

Is there a role with authority to stop initiatives, mandate security tests, and enforce corrective actions?

No such role exists Role exists, authority unclear Role exists, limited authority Role exists, clear authority Role exists, authority consistently exercised

During a high-pressure security incident, how confident are you that escalation paths and decision authority would remain unambiguous?

No confidence Low confidence Moderate confidence High confidence Very high confidence

When was your ability to detect a meaningful security incident last tested in a way that would surface failure?

Never More than 12 months ago 6 to 12 months ago 3 to 6 months ago Within the last 3 months

When was your end to end incident response including decision making last exercised or tested?

Never More than 12 months ago 6 to 12 months ago 3 to 6 months ago Within the last 3 months

When was recovery of critical systems or data last tested under conditions approximating real pressure?

Never More than 12 months ago 6 to 12 months ago 3 to 6 months ago Within the last 3 months

When did the organisation last experience a real security incident or operational crisis that materially tested security assumptions?

Never More than 12 months ago 6 to 12 months ago 3 to 6 months ago Within the last 3 months

How well are critical dependencies between security domains understood and actively managed?

Not understood Vaguely understood Partially documented Mostly understood Explicitly mapped and managed

Are any security capabilities currently relying on other domains that are known to be weak or untested?

Cannot assess No known violations Possible but unconfirmed Confirmed in 1 to 2 areas Confirmed in 3 or more areas

If a critical security assumption proved wrong, how well do you understand the consequences based on tested or observed behavior?

No real understanding General understanding Scenario level understanding Documented and reviewed Actively reviewed and rehearsed

If a critical system or domain were compromised, how reversible would the impact be within days?

Irreversible or requires months Partially reversible, weeks required Mostly reversible, days required Fully reversible, hours required Highly resilient, minutes required

When security priorities compete, how explicit and consistently applied is the logic used to choose between them?

No explicit logic Informal, inconsistent logic Documented but weakly applied Clear and consistently applied Explicit, transparent, and shared

Domain pressure

For each domain, describe its current operational condition.

This is about current operational pressure, not strategic importance.

Foundational domains

Select 2 to 3 domains that support multiple other security capabilities. If these weaken, broader operational stability is likely to weaken as well.

Detection and response Identity and access Infrastructure and endpoints Applications and cloud Data and resilience Governance and people

Priority domain

If leadership focus were limited over the next 90 days, which one domain would you prioritise first?

Detection and response Identity and access Infrastructure and endpoints Applications and cloud Data and resilience Governance and people

Reduced-attention domains

Select 2 to 3 domains that could temporarily operate with less leadership attention while the priority domain is addressed.

Detection and response Identity and access Infrastructure and endpoints Applications and cloud Data and resilience Governance and people

Generating your report

This can take a minute. Keep this tab open.

Report ready

Your report is ready. The PDF download has started.

No reliable conclusion could be reached

The current answers do not form a clear enough picture to reach a reliable conclusion.