No. 6 Surprise: The key to sustaining an excellent cyber strategy is an assessment. Assessing requires us to understand how well we exercise our processes and procedures during a cyber incident. The only way to honestly assess the organization is to limit the number of people who know about the test. The assessment should consist of vulnerability and configurations assessments, as well as, penetration and exploitation testing.