I’ve had a number of requests to write a post about how to start and grow a new security program - or a substantial reassessment and rebuild of an existing program. 

This is a difficult one to write because, as you all know, there is no one size fits all approach. Starting from scratch in a 10 person startup is very different from (re-)building a security program in a more established organization. What I’ve tried to do here, instead, is to develop a framework and step by step guide to apply to pretty much any type of organization. It might be that in applying this you only need, for your risk and stage of development, to go halfway in the various steps. Some time later, as your organization grows in size, stature or criticality then you might need to do the whole thing. 

There are 4 phases of maturity each with their own steps. But basically it’s all about (1) start facing in the right direction, (2) getting the basics done, (3) making those basics more routine / sustainable and then, if you need to (4) making it much more advanced / strategic. 

Phase 1 - Face the Right Direction 

Step 1: Put Someone in Charge 

Someone needs to be on point to sponsor and drive the work. This should be someone from the executive leadership team who has the authority to make the right risk and prioritization decisions across all lines of business – it doesn’t need to be an expert, just someone who can drive change. This might be a CFO, COO or even the CEO partnering with the CIO / Head of Technology and the CISO if there is one - although if you are (re-)building there might not be. In time, though, you will need a Head of Security (whether or not you title the role Chief Information Security Officer might not matter) or other security specialist role. At this stage it is not imperative and the cost/time it takes to fill this role shouldn’t be a blocker for getting things done. The main thing is for someone senior to say, “we’re going to make security better” and it’s going to be an organization-wide priority. 

Step 2: Establish a Governance / Oversight Process 

You need a place where your leadership team can decide on priorities for where to invest vs. the risks. This might involve slowing down certain initiatives to accommodate the need for security investment or taking extra time to get a new product release right. This might need to be done at a specific new meeting (or “committee”), or simply a specific time allotted at your regular leadership meetings. Then you have to have a list of the things you want to fix or focus on (aka a Risk Register) and track what is getting done, what issues remain and to hold people accountable for the results – at that senior level. None of this needs to be super formal. But there needs to be a list of what needs to get done and tracking/accountability as to whether it is getting done. 

Step 3: Conduct a Critical Systems Security / Breach Test 

If you are starting fresh or taking over an organization in some possible disarray then you need to get a professional independent third party to determine if you already have attackers in your environment (a so called breach assessment) and to test your security and show if it is resistant to common attacks such as breaking through your perimeter, compromising your desktops, mobile devices, servers cloud or SaaS environments, breaching sensitive data or destroying or subjecting your systems and data to ransomware exposure. 

This test should not only test security but also test your critical systems backups for effectiveness. You can at this stage also conduct the Broad Security Review (see Phase 2 [Step 5]) if it makes sense to bundle the two reviews together. 

Some might argue what’s the point of doing this given there are likely vulnerabilities and so fixing known things before doing a test is important otherwise it just highlights what we can likely presume to be there. This is strictly true, but for many organizations starting from scratch or doing a rebuild they might not have the expertise to come up with such a list or they might not have the buy-in already that would otherwise come from a third party highlighting critical potential failures. In other words the simple act of a third party test highlighting an initial list, or showing and cleaning a current compromise, turns out to be a good first step no matter what. 

Step 4: Act on High Risk Results Immediately

Resolve any latent incidents discovered and fix the critical issues now. You may need to prioritize many of the issues in light of investments you plan on making in upgrading your IT infrastructure – but don’t delay fixing critical issues, even if these are temporary measures or throw-away vs. future investments. 

They are not a waste as they provide you important mitigation now. That breach or ransomware event that may happen if you don’t will derail your future plans and budget more than a selective bit of duplicative spending on the most critical gaps.  

Here, you might need to also prioritize (depending on your industry) some basic compliance attestations or control implementation to get those into shape. 

Phase 2 - Cover the Basics 

Step 5: Conduct a Broad Security Review vs. Expected Controls (Defend in Depth) 

Once you are pointing in the right direction and have fixed critical issues and possibly put out some fires then, or perhaps in parallel since these efforts don’t have to be perfectly sequenced, you need to do a broader review of what your controls should be. It is also useful to have an independent third-party do this, but if you have the skills in-house by now you can start with a self-assessment, and then validate in a smaller exercise by a third-party. In either case you should use the following at a minimum: 

• NIST Cyber Security Framework – this assesses the structure of your efforts across Governance, Identification, Prevention, Detection, Response, Recovery and Vendor Risk Management. It helps lay a solid foundation for how to manage these risks over time. Many organizations, large and small, have adopted this and it will also help you explain your commitment to security to customers, regulators, auditors and your Board over time. 

• Center for Internet Security (CIS) Critical Controls – this defines  a minimum level of IT control and security that is required. Most of it is common-sense, some of it is easy to implement, but some requires a top down commitment to a level of control that may be a shift in your culture, for example: not letting any employee download any old piece of software from anywhere on the Internet. If you’re not prepared to make that trade-off in flexibility vs. security then you might want to question your broader risk priorities.  

Prioritize the top 10, below, of most important things to focus on as well as acting on the full assessment: 

1. Secure Configurations and Updates. Keep all your (or at least your critical) systems patched and up to date – especially security patches. Implement and continuously monitor system security configurations, especially for critical systems like core systems, identity/authentication, cloud services and perimeter networks. 

2. Lock Down Privilege. Heavily restrict who has administrative privilege including the ability to download and install software in your environment – only a small number of administrators should be able to do this. Block or constrain the use of portable media and encrypt what you do use. Constrain privileges to effect wide-scale change to infrastructure, networks, clouds and other key systems. 

3. Filter Content. Filter e-mail and Internet access such that spam, malware, phishing and malicious web sites are blocked. 

4. Actively Defend. Run end point (on mobile devices, desktops and servers (cloud or otherwise)) security software to block and report  ransomware, other malware, and attacks. Implement software allow listing so only known good software can run. Bring back critical activity and security logs to a central secure storage location.  

5. Harden the Perimeter. Harden your Internet perimeter – make sure your web sites and Internet access are regularly scanned for vulnerabilities and those issues fixed. Make sure there’s no open ports that are easily accessible by attackers. Make sure firewall or other security gateways are reviewed regularly (systematically vs. manually) for the right rule sets. 

6. Strongly Authenticate Access. Implement strong authentication (hardware tokens, or authentication apps on smartphones) for any remote access to your environment or services you use in the cloud (e.g. Office 365, Google Workspace).  

7. Isolate and Protect Critical Data/Systems. Segment and encrypt your most critical IT assets and data, such as customer records, payment information, core intellectual property, authentication systems. Encrypt content on your mobile devices and enforce mobile device security.  

8. Back Things Up. Back-up your data and systems and regularly test that works by recovering it to actual clean systems  – not just inspecting the back-ups. Encrypt your back-ups. Make sure the back-ups are kept off-line/immutable.  

9. Manage Access. Manage identity and access to your on premise, cloud or vendor systems. When someone leaves, ensure you terminate all their access quickly. Check this is working constantly. 

10. Check Your Vendors. Finally, for any vendors that could cause you or your customers problems if they have an issue with your data or services, then make sure they are doing these things as well.  

Doing these as part of the CIS Critical Controls won’t stop all attacks - especially the ones targeted at you exclusively and exhaustively by a sophisticated attacker – but they will stop most attacks and that is what you should focus on at this stage - unless you are in a business that brings you into the realm of sophisticated attackers (for example, high value  payments, defense, critical intellectual property, large collections of personal and private identity or health information). 

Step 6: Develop a Multi-Stage Implementation Plan to Close Gaps 

You will find it difficult to do all these things at once, and will likely want to intertwine this with other IT upgrade activities  – except as discussed for critical exposures that have been identified – just fix those now. The output of the Broad Security Review should be broken into discrete objectives and tied to IT upgrades that enable that, for example: if you don’t have a solid IT infrastructure that can take software updates from a central source then you’ll have a tough time doing the needed continuous patching.  

Step 7: Select Managed Services Providers to Help 

You are unlikely to be able to do all this on your own, so select one or more service providers to help you, whether it’s for IT services overall and/or specific security or product configuration help. In particular you should select one or more Managed Security Services Provider(s) to do the following activities : 

• 24x7 security monitoring from systems logs, intrusion detection sensors on perimeter, internal network, end points and cloud/SaaS services. 

• Continuous vulnerability scanning – to look for security gaps, especially on cloud and SaaS implementations.

• Periodic full security penetration testing. 

• Regular security assessments of your critical vendors. 

• Intelligence collection about threats to your organization, brand or market segment – that you can use to prioritize control enhancements or take steps to protect your brand (e.g. taking down fake websites). 

• Incident response support – in the event of an attack you want a team to be able to assist – and this should include periodic drills so you and they practice for incidents.  

Step 8: Build a Team

You will likely need a security team. This work is really that important. At this point if you don’t have a Chief Information Security Officer (CISO) then you should hire or appoint one. This person may be a standalone role, or it may be a small team or simply a role augmented by managed service providers. Unless you are in a particularly high risk business this person doesn’t always need to be a seasoned/experienced CISO, they could be one of your more experienced IT staff that you decide to train.  At this point also you should be bolstering the training of your workforce on security matters.

Phase 3 - Make it Routine

Step 9: Program Manage Your Enhancements  

Establish and sustain some further formal governance to continue to assure your long term implementation plans, and any adjustments, are working satisfactorily. This might be as simple as making sure your CISO, CIO or even COO have a person who tracks delivery, key metrics (or OKRs – Objectives and Key Results) and flags if things are going off track. 

Devoting a special management group or even a Risk Committee might be useful, but at least regularly devoting a portion of your Executive leadership meeting to this topic will ensure the right tone at the top is seen on such a critical activity. Over time, as budget and other opportunistic work/upgrades happen it will likely be possible to reduce residual risk and get more things implemented. You should also, unless done earlier, make sure you are documenting and communicating security policies and an overall security strategy and defining a strategic technology architecture that firmly embeds sound security practices. Finally, at a big enough scale (or risk) you should have an Internal Audit function, or use your External Audit firm to independently challenge your work and priorities around security – in the context of your overall business risks.  

Step 10: Establish Continuous Risk Assessment and Control Monitoring  

Doing a risk assessment once, when you’re in a fast-paced business and a changing world of threats, isn’t enough. So plan to refresh your risk assessment periodically (annually is adequate, every 6 months is better) or when you have major triggers in your business like a major expansion, a new product launch or some major incident or close call, or even when you see a competitor experience some issue and want to pressure test your own organization against that.  

Also, make sure you know what your critical controls are, that mitigate your most important risks and make sure there are automated checks to assure those controls are operational and effective. If you can’t do that then, less ideally, have some manual procedures to check them. Construct and review scorecards and metrics of the performance of your key controls as you would track and report on your most important business and customer metrics. Watch for repeated failings as a sign that something deeper is at fault. It is here you should blend in your approach to assuring compliance with rules and regulations affecting technology and security as part of your continuous control monitoring.  

Step 11: Increase Resilience and Plan for Bad Days 

Plan for the worst by writing down some of the worst scenarios you can reasonably contemplate – it might be a data breach, a systems outage, a payments fraud, a ransomware event or something highly attuned to your business. Then each quarter do a test of your team and leadership to drill how they respond to that – including knowing how to seek retained external help and to report issues to law enforcement. Consider having documented internal and external communications, stakeholder management (customers, regulators, et al.), and potential PR processes. Then adjust the processes and controls to apply any lessons. Most organizations that suffer incidents can reduce long term impact if the response is decisive, transparent and centered on doing the right thing for the customer. You can’t do this without practice.  

Step 12: Put on Some Hedges

No matter how well you prepare there will always be some issues that occur, so think about what opportunities exist to transfer or otherwise reduce your risk beyond the work you have already done to implement and sustain controls. Purchase some amount of cybersecurity insurance and possibly business disruption insurance alongside your other insurance programs. Also, take a hard look at how to reduce your inherent risk – do you need all the data you collect from customers, or do you need to keep it for so long? Can you offload certain high risk activities to vendors who might be able to handle this with less risk to you, such as payments or credit card processing? 

Looking at how to inherently de-risk your environment can take the time, cost and other pressure off control implementation.    

Phase 4 - Make it Strategic 

Step 13: Align with Business Objectives 

Now you’re making great strides and you should be feeling good about your basic levels of control and security, as well as the ability of your team to keep updating and responding to new threats and risks. Now is a good opportunity to take stock and go on the offensive. Think about how good security and controls can improve your business, as opposed to simply defending your business and protecting your customers. This could mean looking at your controls and examining whether they can be made more efficient, be able to support more IT and business agility to deliver new products. Also look for adjustments to improve customer experience, reduce friction in your digital channels and speed customer acquisition. You should also further align with rules and regulations to get very efficient at compliance, for example: if you can spend 1% of your brain power on ensuring regulatory compliance because you designed your business and systems that way by default and other firms need to use 10% of their energy ensuring regulatory compliance, due to less adequate business processes or systems, then you will have a distinct advantage.  

Step 14: Support your Customers / Extend your Products 

Now could also be the time to look at what businesses, segments, geographies and channels you’ve been hesitant about because of potential security or even fraud risk and look at your control platform or enhancements as a means of bringing those opportunities within your sights. Additionally, you may be able to assist your customers in secure use of your products which further attach them to your business. Perhaps there is also potential for new products using your security and control platforms to benefit your customers. Embrace customer inquiries and differentiate yourself in how you satisfy their security concerns.  

Step 15: Improve the Team / Skills 

Throughout this whole journey you will have needed to support your security team, whether these are simply roles in IT or a fully-fledged CISO and team, in training and professional development. This is especially important in a fast moving  space like security. Thankfully there are many low cost ways to do this such as a sector specific Information Security and  Analysis Center (ISAC) and other ways like training services.  

Step 16: Do Red Team Exercises and Adversarial Testing

Finally, now is the time to really put your team to the test. Commission regular Red Team tests, from an independent third party - or a suitably skilled internal team if you can afford it. Red Team exercises are designed to go until they win, and most organizations usually fail their test to some degree (even if it is just because they actually give the Red Team some further access to attack from). It might be the Red Team has to do progressively more sophisticated attacks to get you – but in any case you will learn along the way.  

Bottom line: most organizations, with sufficient will and leadership can progress up a maturity curve on cybersecurity - but it’s important to start with getting some of the basics right so you have the time / air cover to build your program for your true strategic needs.