I’ve had a number of requests to write a post about how to start and grow a new security program – or a substantial reassessment and rebuild of an existing program. 

This is a difficult one to write because, as you all know, there is no one size fits all approach. Starting from scratch in a 10 person startup is very different from (re-)building a security program in a more established organization. What I’ve tried to do here, instead, is to develop a framework and step by step guide to apply to pretty much any type of organization. It might be that in applying this you only need, for your risk and stage of development, to go halfway in the various steps. Some time later, as your organization grows in size, stature or criticality then you might need to do the whole thing. 

There are 4 phases of maturity each with their own steps. But basically it’s all about (1) start facing in the right direction, (2) getting the basics done, (3) making those basics more routine / sustainable and then, if you need to (4) making it much more advanced / strategic.  — Read More