This is part 3 of a 7 part series grouping together sets of prior posts into a particular theme. 

1. Security Leadership Master Class 1 : Leveling up your leadership

2. Security Leadership Master Class 2 : Dealing with the board and other executives

3. Security Leadership Master Class 3 : Building a security program

4. Security Leadership Master Class 4 : Enhancing or refreshing a security program

5. Security Leadership Master Class 5 : Getting hired and doing hiring

6. Security Leadership Master Class 6 : When disaster strikes

7. Security Leadership Master Class 7 : Contrarian takes

In this summary we’ll look at how to build (or re-build) a security program. The most instructive summary chart (below) is from the first post in the list of how to get going when you first need to do this. 

One of the most important goals of the security leader in these build situations is balancing the tactical work of delivering some risk reduction as soon as possible to avoid or put out immediate “fires” (getting stuff done) in parallel with the strategic work of how to make the security program self-sustaining and aligned with business objectives (getting positioned well for the future). 

This balancing of immediate fixes with strategic foundational work, team development, and continuous operational improvement needs a step by step approach:

• Establish Executive Leadership Commitment and Accountability: A security program must begin with putting someone in charge from the executive leadership team who has the authority to make critical risk and prioritization decisions across all business lines. This leadership role does not initially need to be a seasoned Chief Information Security Officer (CISO) but could be a CFO, COO, or CEO partnering with the CIO/Head of Technology. I’ve seen a number of organizations where the simple act of the CEO or CFO running a monthly steering group to put their mark on the priority of this is enough to kick start making a big difference - even if they only personally devote time to this initially.

• Create Foundational Governance and Oversight: You must create an ongoing process where leadership can review priorities, decide where to invest against risks, and ensure accountability. This oversight mechanism can involve dedicating time at regular leadership meetings or forming a specific committee, and it requires tracking a formal list of items to fix (a Risk Register). Some of the best examples I’ve seen are where, even if just during the kick start phase, the executive group (C-suite) creates some time in their regular meetings to ensure things are getting on track. This might be even more powerful than having a dedicated committee or council since using existing constructs signals a willingness of the executive team to prioritize time for this vs. just saying it is important.

• Conduct an Immediate Critical Security Assessment: When either starting fresh or rebuilding a troubled program, an organization needs to commission a professional, independent third party to conduct a breach assessment to determine if attackers are already in the environment and test resistance to common attacks. This test should not only assess security but also confirm the effectiveness of critical systems backups. I’ve seen multiple cases where a new security leader is rebuilding a program or an acquisition is being integrated and there’s a claim that all is well to then have a latent ongoing breach revealed when the environment is actually deeply inspected.

• Act Immediately on High-Risk Discoveries: Once the initial critical assessment is complete, resolve any latent incidents and fix high-risk issues without delay. Fixing critical issues now, even if the measures are temporary or duplicative of future investments, is vital because a breach or ransomware event will derail those subsequent plans and budgets anyway. Again, I’ve seen this in many organizations where from their assessment they have a long list of issues to fix, some are critical vulnerabilities that could be exploited. A few organizations might put all this work into some big strategic program, say implementing a zero trust framework, or waiting for a technology modernization program to kick in. This often leads to incidents, because of that immediate exposure. It’s often better to pick out some critical work (like strong authentication or closing elements of an unnecessarily broad attack surfaces) to get done now to pay down that critical risk to give you the breathing room to get the strategic work done.

• Implement Core Controls using Recognized Frameworks (Cover the Basics): Once immediate fires are extinguished, conduct a broader security review against expected controls to cover the basics of defense in depth. Organizations should use frameworks such as the Center for Internet Security (CIS) Critical Controls to define a minimum level of IT control and security required, which mandates commitment to practices like implementing and continuously monitoring system security configurations. CIS has great frameworks and benchmarks, and of course you can use NIST CSF overall. Where I’ve seen this work especially well is for teams to use, say, the CIS Critical Controls not just as an objective goal but also a means of benchmarking what good looks like.

• Rule of Thirds - Build the Core Team and Ensure Role Balance: As the program matures, you will need to build or hire a security team, appointing a CISO if one is not already present, and pay attention to the balance of role types for maximum effectiveness. The overall organization should aim for a "rule of thirds" balance among three role types: Specialists (technical experts), Risk Advisors (who translate technical risk to business leaders and manage complex remediation efforts), and Operational experts (who excel at running functions like a finely tuned machine). One of the things I look for in organizations to intuit their level of control is to look at this organizational balance as a proxy for just how successful their programs and risk reduction efforts are going to be. There’s plenty of counter examples where teams with only technical specialists are successful, but these are usually so when their balance of risk advisors (and program managers) or operational experts (like SREs) are already supporting the security team from another part of the company. But generally, the most mature teams that deliver the more sustainable programs exhibit this rule of thirds. I’ve seen this across large banks, healthcare, pharmaceutical, and defense industrial base companies.  

• Fund Strategic Transformations via "Big Bets": A successful security program requires balancing relentless incremental improvement with episodic big bets that yield transformational improvements. For example, implementing strong two factor authentication, such as cryptographic tokens with good phishing resistance properties. The biggest “light bulb” moments I’ve seen from Board level down in organizations I’ve been in, and that I’ve worked with, is the realization that security programs are the dual of a set of sequential big bet strategic transformations coupled with relentless tactical improvements and operational excellence.

• Establish Continuous Control Monitoring (CCM): It is essential to treat controls as first-class objects and establish systems to know definitively and in real-time the state of all required controls, allowing the organization to learn and adapt in response to failures. A remarkably common failure pattern in attacks is that the control that would have stopped the incident was thought to be operational but was actually not. Another exemplar I often use in seeing whether a particular organization is on the right maturity journey is to ask their security team some questions around controls such as “what percentage of your critical controls are continuously monitored?" or “how many control incidents do you detect and resolve per month?”

• Align Security Objectives with Business and Mission Outcomes: Move beyond simply defending the business by adopting an entrepreneurial mindset, aligning good security and controls to improve the business and seeking adjacent commercial benefits. This could include looking for adjustments to improve customer experience, reduce friction in digital channels, and speed customer acquisition. Sometimes, even if you can’t find such opportunities, the fact that you are looking positions you as a strategic partner with the business lines that in turn leads to strong partnership from their side.

• Shift Down - Embed Security Controls Directly into Frameworks and Platforms: Reduce the toil and knowledge burden on developers and other engineers by providing highly assured security capabilities encapsulated in standard tooling, making the secure path the easiest and default option. Every time application security or other teams find a vulnerability, they should proactively think about how to reduce the potential for further instances of that vulnerability through the provision of good tooling. Shift left is fine but shift down is better.

• Sustain Security Effectiveness by Actively Counteracting Resource Atrophy: Recognize the entropy that causes sustained security funding and staffing to gradually erode, leading to a disproportionate negative drop in control effectiveness. A key method to counteract this is using organization health monitoring to assess whether the resources applied (people and budget) conform to a prescribed model of what is needed - not that it should necessarily be enforced always, but to know there is drift from baseline resource expectations is important to raise.

Here’s a short video (thanks to NotebookLM) covering all of this.

• Starting (or restarting) a security program from scratch

• Plans vs. Strategy.

• Why good security fails.

• A grades vs. Pass/Fail.

• Security budgets.

• Building balanced teams.

• Scaling security.

• Secrets of successful security programs - part 1

• Secrets of successful security programs - part 2

• Security program