How to Build an Information Security Program

Derly G

Over the years, I have developed steps to help me implement a new information security program or take one over. Typically for an organization wishing to greatly improve its security maturity level. Even though I have never been employed as a salary based CISO role, I had the pleasure to perform the role, in a limited fashion, throughout the years and developed a hybrid methodology to build a program. It is based on guidance from mentors, books I have read, and personal experience. You could also use this technique as a security program management lifecycle methodology for continuous improvement as well.

But first, you need to know that the role of vCISO or CISO (v/CISO) is never the same for any organization that employs one. I have seen v/CISOs used as senior security architects with no say in the entire corporate security strategy.


 I have also witnessed v/CISOs used to lead application teams, charged with implementing DevSecOps, but never allow to manage cyber risk, governance, or compliance issues. Some v/CISOs have no control of their budget, no direct reports, and are basically an individual contributor. 

However, this methodology is focused on the average CISO or vCISO who is placed in charge of the security program design and maintenance. Whom, it is assumed, has been empowered to improve the corporate information security strategy and manage all aspects of cybersecurity within the company. Thus, you are playing a combination of IT solutions expert, risk manager, program manager, and Sr. Security leader. 

The following five steps below will have a few sub-tasks under them. The steps or sub-task can be completed in order or parallel, varying on dependencies.  Some of these steps also form a continuous life cycle of activities that will help improve a security program over time, gradually increase the security maturity level of your organization.

So, let’s being with the first Stage….

1.     Business Goals for Security - Stage: In this stage, the main goal is to develop relationships, learn about the organization’s mission or business operations, and discover business goals. While learning about the business, keep in mind, that relationship building is one of the most critical tasks of a CISO. If you want to be successful in any CISO role, virtual or not, you need to understand that your role is more of an influencer and adviser with little authority in changes outside of the security program and sometimes within it. 

Thus, good relationships are a key to success to steer the ship in a safe and less risky direction. The captain of the ship is usually a combination of the Board, CEO, risk owners (e.g., business unit leader, etc.), and Chief IT leaders of the organization you are helping. The following are all of the sub-tasks to make this stage successful.

a.     Interviews: One of the sub-tasks is to meet with your senior management, peers, business unit leaders, direct reports, third-party providers, and other key stakeholders to learn about their responsibilities, current business operations activities, concerns on achieving their goals, and information security interests.

b.    Security Goals: I use a hybrid approach of ISACA best practices and SABSA ESA methods to develop my security goals that will be used to develop a security strategy. As you are learning more about the organization’s mission, goals, and business strategy you will be converting these into business objectives or attributes. The same thing goes for when you are doing the interviews. You can then convert most business goals discovered into the business goals for security eventually. 

Once you feel this completed you will need to meet with senior management to review these business goals and security goals to get confirmation and prioritization. If you wondering why, it is because the CISO does not usually own the risk of failure for lines of business, a department, or the company as a whole, it is the leaders who do, who will need to make those decisions. Hence, the main owner of a goal or attribute should be the one who owns the risk if it were to fail or not be completed on time. The owner should have the final say in the goal or attribute approval, prioritization, or tweaking over time.

For example, it is usually the COO or CIO, depending on industry or business type, who owns business continuity planning and operations (COOP) or disaster recovery (DR). Even though there might be a few security requirements that the implementation and management may be the responsibility of the security program (i.e., DDoS prevention, HA for security appliance, incident response, security communications planning, monitoring, defense in depth, etc.). The CIO or COO is usually the true owner of the risk of failure of the COOP or DR plans.

Senior management should only make a v/CISO responsible for those items that fall under the security program to manage. But it is the risk owner who is ultimately accountable, or at least they should be, for the business goals those security requirements are supporting. However, the business goal development exercise and security goal mapping will help you start this conversation with senior management and help them assign goals or risk owners.

2.     Discovery - Stage: This next phase of the method can be painful because of the amount of data collection and reading that is required. However, essentially the main objective is to collect and review a lot of the current administrative controls (e.g., security policies, hiring practices, security standards, DR and COOP procedures, etc.) and other job-related required reading. This will allow you to continue to draft any information security gaps and learn more about the organization’s current maturity level.  

a.     Current Policies: This requires a review of all of the published corporate policies, standards, procedures, guidelines related to your role or areas of responsibility.

b.    Resource Analyst: Reviewing and analysis of all information security resources. Understanding the current budget and human resources assigned to the security department. Reviewing security third-party contracts. To include their capabilities and which ones will renew within the next 18 months. 

c.     Other Related Documentation: This can be past PenTest results, audit reports, outstanding program deficiencies, pasts incident reports, and other impacts on security services. Also, performing an initial security team maturity level review.

3.     Capability Review – Stage: This phase is a deep dive into the most technical capabilities of the organization. It will require the collection of additional information from multiple sources, probably not yet collected in previous stages. You could have collected this in parallel with the above steps, but you should wait until you have a good understanding of the entire corporate architecture first. This includes the main applications, network environments, platforms (e.g., databases, OS, management systems, etc.), virtual technologies, and private or public cloud services.

a.     Security Architecture Analysis: You should review network maps, architecture drawings, security control placement, and capabilities. You can also perform some basic threat mapping as well.

b.    Security Tools/Services Inventory: During this task, you will review the current security technologies and related services to your role. This can be any appliances, services (i.e., internal or third-party), applications, and other technologies or capabilities. For example, PAN NGFW, HP Fortify, SOC-as-a-Service, Anti-DDoS, etc. At this same time, you want to document the subject matter expertise (SMEs) and the main points of contact for these items. As well as the current security projects pending completion.

c.     Security Project Review: This consists of meeting with project leads and reviewing the project plans and any hurdles to completion. At this time, it is not recommended that you make changes or pause any open security projects. Unless it is based on a very high likelihood the project is going in the wrong direction that your security strategy or business goals will support.

d.    Operations Review: I would analyze current operations capabilities, other security controls not yet covered, training needs, etc. This also includes new service requests, required upgrades, or open issues. I would include issues with change, risk, and operations management processes.

4.     Security Posture Review – Stage: By now, you should have gathered enough information to start an assessment.  This security posture review is an organization-wide full security assessment. This assessment should give you a good understanding of current security controls implemented and security requirement adherence. These should be mapped to GRC requirements and best practice goals. Additionally, any lack of adherence or issues should be added as risk findings. Within the risk assessment, you want to analyze any issues and develop a business impact analysis for at least the high and critical items. 

So, you will be reviewing all of the evidence of InfoSec data and related cyber intelligence needed to perform a gaps analysis, risk assessment, business impact assessment, threat models, and other assessment tools to develop a good posture review. The quality and speed will need to be determined by when senior management expects you to be 100% ready to launch your security strategy. 

This is because there should be a ramp-up time from when you enter the role and transition into full speed, but even if you only have 60 days from the start of your role, you need to do these steps. It might be a quick and dirty version but at least that will give you some idea of a basic current posture. Even if it is as clear as mud.  

Finally. This is an assessment that you will want to perform on your own. One reason is that it will give you a lot of context and education about your organization. Two, it ensures the results will not be influenced by office politics or non-partial parties. With that in mind here are the tasks for this stage.

a.     Security Requirements List: This will assist in building a security requirements list based on corporate policy, regulations, business goals for security, and certifications like achieving ISO 2700X, FedRamp, and CSA Star. Plus, determining if you are achieving them, partially or fully, if at all.

b.    Security Strategy Requirements: Mapping too or adding to the security requirements list any best practice controls like CIS Top 20, CSA CCM, or NIST CSF, plus, any additional security goals not yet covered in the GRC or certification requirements. Even if they are, if you have time, it is highly recommended you map all of the requirements to a basic security strategy best practice (e.g., NIST CSF, CIS Top 20, etc.)

c.     Prioritization: Don’t forget to meet with key stakeholders on the security requirements to apply a priority to them, but do not discuss, yet, any concerns with gaps or risks in non-compliance in achieving those items. You are just collecting the data.

d.    Risk and Maturity Analysis: This will require you to understand the current risk methodology or implement one if it is part of your role. Either way, you will need to perform a risk analysis for any gaps in the requirements, controls, or additional findings (e.g., cyber intel, threat mapping discoveries, MITRE Att@ck Framework, etc.). The same goes for the overall maturity analysis of teams, departments, or programs.

e.     Presentation of Findings: I believe this is when you should have a formal meeting with senior management, present findings, and get feedback and decisions on risks and adjustments on security goals.

5.     Security Strategy Kick-Off – Stage: This last step will typically occur between 90 to 180 days into your new role, maybe more, depending on the size of the organization. By now you should have met most of the management and key leaders across your company. You should have a good understanding of your new organization’s culture as well. All of this will allow you to build, present, and get approved a security strategy. The security strategy is what the security program will manage through the building of security services via many projects over time as you improve the maturity of the organization.

a.     Security Strategy and Road Map: You should be able to document your strategy, goals, and an 18 month to two-year roadmap plan for your security program by now. I recommend adding this to a presentation to your management.

b.    Executive Approval: In a previous formal meeting, you should have presented to senior management your security posture assessment results. The feedback from that meeting and any completed action items from it will justify the finalization of goals for security and the strategy. You should be presenting these in another meeting for a review of your strategy and final approval. 

c.     Security Steering Committee: Most security strategies usually recommend for the formation of the security steering committee. You might suggest the initial members but it’s senior management’s decision on who should be assigned this responsibility. 

What is the Security Steering Committee? Now, imagine if you were a leader of a security service and the organization was your client. The security steering committee would be the few points of client personnel or contacts for you to receive services requests, major security change requests from, and project approval and planning coordination. This could also be the people you would need to discuss initial risk concerns and corrective actions. It will vary with every organization you are a v/CISO at.

Nevertheless, the members are typically the right-hands of C-Suite and business unit leaders, plus, LOB subject matter experts (SMEs). I recommended, initially, you try to keep the committee as small as possible with key stakeholders for permanent members, but plan meeting agendas far in advance as possible in order to allow for the invitation of the needed SMEs and key stakeholders.

d.    Process Improvement Plan: You should develop the communication of and the formal kick-off for your security continuous improvement plan. This presentation should explain how, within the security program, continuous improvements with be implemented. Additionally, how cyber risk is reported, documented, and routed to the proper owner. This will include measurement planning (i.e., metrics) and define security baselines.

e.     Executing Security-as-a-Service: By now you should have developed KPIs and KRIs to measures the success of the various security services, so you show the value the security program brings to the company. You should have a good understanding of how cyber risk will be managed. How the security steering manages major changes, projects, or service requests. How compliance will be measured and met. Plus, developing an explanation of how security is provided as a service.

f.      Presentation: Congratulations! You are about 4 to 8 months into your role. Thus, version 1.0 of your security program is ready for launch. That presentation you have been developing needs to be delivered to the organization. You should be presenting the security strategy, at a minimum to your security department and key leaders (I recommend to the entire company), and communicating updates annually, if not, at a minimum every 18 months.

All of the before-mentioned steps are part of a life cycle of managing a cybersecurity program. Initially, it will be a lot of effort, but once the information is accumulated and the tasks completed for the first time, it only needs to be maintained if required. However, all of the steps will be repeating continuously annually or at a minimum, every 18 months forever or as long as your organization has a security program. 

Additionally, as a CISO or vCISO, you are a leader, at a minimum, within the security department. This requires constant mentoring of security team members, partnering with business leaders, and selling the security program’s value constantly. I know this was a lot of information and I hope this helps you in the development or management of a security program.

Latest Posts