Getting Started with Security: 5 Key Steps for New Leaders
Many new security leaders face the same challenge: building a strong security program from scratch, or improving an existing one. The good news is, there are some common steps that can be taken in almost any situation. A Linkedin post where someone asked what someone would do when starting a new security function in a company, had me thinking. This is for a internal cybersecurity function.
Here are 5 key things to focus on when starting your security program:
- Security Checkup: Just like going to a new doctor, you’ll want to get a clear picture of your current security health. This means doing a security risk assessment to identify your biggest weaknesses. Start with asking questions. On premise security and tools used, note them. How is cloud security done, note it. What are the tools and vendors they have already, which are coming up for yearly renewal.
Example: Imagine you’re the new security chief at a bank. You’d want to assess how well your computer systems are protected from hackers, and how well your physical security protects the bank branches and ATMs. While this is simple example in itself. But again security is simple, we overly complicate it. Go by a layered approach instead of all in approach.
2. Talk to the Team: Security isn’t a one-person job! Talk to different parts of the company to understand their needs and concerns. This will also help you figure out how much risk the company is willing to accept (their “risk appetite”). Just don’t talk technical , ask pain points and bottlenecks in process. Talk to engineering and get the vibe on how they view security. Sometimes, or rather many a times, I see engineers thinking security processes slow them down. And many a times they are right. So note those down as they definitely will get you some mileage with engineering if you solve those.
Example: You might talk to the IT department about the types of data they store, and the finance department about what regulations they need to follow.
3. Make the Rules: Clear security policies are essential! These policies will outline what employees are and aren’t allowed to do with company data and systems. Look at corporate polices, see if they are outdated and needs any change. Also, look at standards and have them reviewed as well. Because I personally feel if there are no policies, what will security team review.
Example: A security policy might say that employees should never click on suspicious links in emails, and that all company laptops must have strong passwords.
4. Money Matters: Security costs money, so you’ll need to figure out a budget for your program. This includes the cost of security tools, training for employees, and maybe even hiring new security staff. The amount of time I had budgeting discussions about a tool or hiring has been endless. Security is “non core” business ( excluding product security), so try to understand if your management views it as added expense or necessary expense. This mean you need to get creative in solving some problems if the budget is not given.
Example: You might need to budget for software that helps protect against malware (viruses and other harmful programs), or training for employees on how to spot phishing attacks (emails that try to trick you into giving up personal information).
5. Building the Dream Team: The right people can make or break your security program. Depending on the size and needs of your company, you might need to hire new security staff, or train existing staff on new skills.
Example: You might need to hire someone to manage firewalls (security systems that control what data comes in and out of your network), or train your IT team on how to respond to a security incident.
Remember, these are just starting points. The specific steps you take will vary depending on your company’s unique situation. But by following these tips, you’ll be well on your way to building a strong security program.
