10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Taking A Security Program From Zero To Hero

Breaking the enigma of InfoSec into smaller bites is a proven method for building up an organization's security capabilities. Here are six steps to get you started.

After many years as a niche profession, security has recently emerged as a mainstream one. Awareness is at an all-time high, and security is now a board-level discussion. With all this attention comes a very real problem for many organizations. The organization needs a mature security program, and they need it yesterday. But building and maturing a security program is a complex undertaking. How can organizations go from zero to hero in a minimal amount of time?

Source: Pixabay
Source: Pixabay

The problem is particularly challenging for smaller organizations that don’t already have an established security program in place. To start, you’ll need an understanding of a few pragmatic concepts and a bit of guidance to help to make the security journey a bit smoother. While not an exhaustive list, I have put together a few pointers that approach security as a business function. In my experience, it can be helpful to frame the topic in this manner, just as we would any other business function.

Step 1: Awareness
The first step toward a successful security program is the understanding that you need one. There is no shame in this – progress has to begin somewhere. Once the organization has resolved to stop treating security as an unapproachable enigma and to begin treating security pragmatically, the journey begins. For sure there are many pitfalls along the way, but the resolve to focus on security is the first step and an important step in the right direction.

Step 2: Vision
Any organizational journey needs to be driven in the right direction by a clear and concise vision. This security vision should not only be about what the organization seeks to accomplish, but also about how the organization will go about accomplishing that. The way to create that vision is to inform it methodically and scientifically. Begin with the risks and threats that the organization seeks to mitigate. Break those down further into goals and priorities to address on the road to mitigation. From those building blocks, a clear and concise vision can be assembled that encapsulates a strategic approach to security.

Step 3: People, process, and technology
People, process, and technology are the three pillars of a successful security program. These three pillars also form the means by which a security program is implemented. It’s important to consider all three in tandem, as they are highly inter-dependent and inter-related.

People are an essential part of any security program. Recruiting and retention are strategic aspects of a security program that are not always initially obvious. The right people are essential, as they implement the vision and carry out day-to-day operations. In the security world especially, people are a scarce resource, and as such, it is important to use them wisely. How wisely we use our people depends heavily on the process and technology we have in place.

Process guides people in how to use technology to address the goals and priorities that the organization has set. Additionally, process demonstrates to our stakeholders that we are serious about security by providing a formally documented approach. A process also invites us to study it, thereby allowing us to assess where we have bottlenecks and otherwise inefficient uses of resources.

Technology enables and empowers people to execute the process. Technology should be acquired strategically so as to maximize the goals and priorities it helps to address, while minimizing the cost and complexity required to do so. Acquiring technology in a non-strategic manner, or acquiring technology via a checklist approach can lead to unnecessary complexity and a data picture that isn’t particularly well-organized. Security is already a challenging enough discipline – no additional noise needs to be added.

Needless to say, the people, process, and technology required for a great security program can be difficult to implement, particularly for organizations with a limited time window. Consider working with a trusted partner to provide different pieces of the required people, process, and technology as best fits the organization’s strategy.

Step 4: Workflow
Once the security program is off the ground, focus shifts to workflow. The threat landscape is always changing, so it’s important that a security program never stop growing. Continue to adjust people, process, and technology as required to keep pace with changing risks. Make the best of the resources you have. Keep alert volumes to a reasonable level, and review every alert. Keep the signal-to-noise ratio high by populating the work queue with high-fidelity alerting specifically designed to address the organization’s goals and priorities while minimizing noise. Study the workflow continually to understand where improvements can be made and efficiencies can be introduced.

Step 5: Communication
Communication serves as a means by which metrics and other important information can be regularly communicated to leadership. But communication serves another important purpose as well. Relationships with upstream providers, peer organizations, professional associations, partners, customers, legal, privacy, and other stakeholders are incredibly important. Having those relationships in place ahead of time can help ensure that when crunch time comes, the appropriate channels exist to disseminate, receive, and act upon information in a timely manner.

Step 6: Community
The knowledge of 100 organizations will always be greater than the knowledge of just one. Techniques, methodologies, and indicators of compromise (IOCs) are all great information that can be shared between organizations. Those who give the most generally receive the most, and building street cred for your organization is important. Sometimes, being remembered can mean the difference between getting timely intelligence and not getting that intelligence. True, community is a less tangible aspect of a security program, but it is what separates good security programs from great ones.

Though initially overwhelming, when approached strategically, security is something that every organization can incorporate into its business operations. Breaking the enigma of security down into smaller, solvable problems and challenges is a proven method for organizations needing to build up their security capabilities. No organization has to go it alone, as many in the information security community are here to help.


Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
Christian Bryant,
User Rank: Ninja
5/14/2015 | 2:17:03 AM
Step 7: Hackers, Crackers and Phreaks
Let's not forget Step 7 which could take your security group from zero to hero quicker than steps 1-6 (and no, this isn't part of Step 3 - this isn't about "people" in the organizational sense).

Depending on your data and how dire your need is to make sure your security is the tightest it can be, and remains that way, pulling in some underground talent to pick your organization apart can be invaluable.  Nothing helps define the security of a site better than someone dissecting it and handing you the pieces.

I love hearing the old "We have a new security initiative underway.  You may hear from some people looking for your input."  Great.  If I ever actually hear from them, I'll tell them to hire my friend "John Doe" who will do in two hours (identify at least 50 key vulnerabilities and propose fixes) what some "initiatives" take years to do.

Don't get me wrong, I'm old now and Common Criteria and it's EALs and TOEs looks pretty good to me these days.  But Step 7 has to be the go-to sometimes, even if it winds up being off the books.
User Rank: Ninja
5/13/2015 | 1:38:39 PM
The Profit
Step 3 makes me feel like I'm on an episode of The Profit with people, process, and profit.

These are very good guidelines for trying to initiate a security program and even building upon a currently structured security program. You can look at these steps as a high-level process that can help to align an overall structure or a guideline towards implementing individual security protocols. For example you can use these, from an organizational perspective, to implement DLP, etc.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.