As the Information Security Program Owner at National Instruments, I spent years contemplating the answer to a question that has been around since the dawn of "the cloud":

On March 29, 2019, Alex Polimeni and I presented at the BSides Austin conference on some of the work we've done for National Instruments with respect to using the NIST Cybersecurity Framework (CSF) as the foundation for an assessment of the organization's cybersecurity maturity.  For those who aren't familiar with the NIST CSF, it splits cybersecurity best practice activities up into five functions: Identify, Protect, Detect, Respond, and Recover.  Then, each of those functions are split into several categories.  For example, the Identify function is split into the categories of Asset Manag