Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Listen Now: 'Real-Talk on Opportunities for Security Teams to Fight AI with AI'

How to Set Up Your First Security Program

Home
Industry Insights
How to Set Up Your First Security Program

Blog Article Published: 09/26/2024

Originally published by Vanta.

There's no one size fits all when it comes to setting up your organization’s first security program. Each organization has a unique set of business needs, guardrails to implement, and data it needs to protect, which is why it’s important to remember that every security program is going to look a bit different.

‍If you’re in the process of setting up your first security program, here are some steps I recommend you take and apply to your organization's unique needs.

Step 1: Understand your organization’s risks and your risk appetite

The first thing you should do is conduct an assessment of your organization’s risk. You can do this by interviewing stakeholders and the leadership team to get a sense of your organization’s risks as well as understand what data is important to the business and where that data lives.

‍In these conversations, you should also try to understand the organization’s risk appetite. You may find that your personal risk appetite may differ from that of the organization and your senior leaders. It’s important to find a middle ground and implement solutions that are both effective and secure while enabling the business to move forward.

Step 2: Implement essential security controls

Once you have a firm understanding of your organization’s risks, I recommend implementing some basic security controls your organization needs to protect itself. This includes controls like multi-factor authentication (MFA), conducting security awareness training, and endpoint detection. These baseline controls can get you far in your initial implementation. The 18 CIS Critical Security Controls (CIS Controls) is a great place to start.

‍If you want a more prescriptive set of security controls to implement based on your organization’s needs, choose a compliance framework to align with. Many organizations choose to get a SOC 2 report or get ISO 27001 certified as these cover a broad range of security controls that can be applied across different sectors. However, there may be a more applicable framework depending on the industry you're in—in this case, choose one that meets the standard for the industry you do business in.

Step 3: Develop an incident response plan

Many people make the mistake of waiting until all aspects of their initial security program are defined and in place before building out an incident response plan. You will have incidents and some of those may unfortunately be breaches. While these incidents are difficult to avoid, what matters is how you respond to them and that you have a process in place to take action as they arise.

‍Start by defining potential incidents and assigning them severity, identifying the right teams and stakeholders responsible for managing specific incidents, building a process for employees to declare incidents, and ensuring you have the right tools to address them. It’s also important to establish external communication guidelines in the event of a customer impacting incident.

‍Be sure not to overlook this as you build out those early pieces of your journey.

Step 4: Hire the right people

CISOs regularly talk about the types of people they come across when building out their teams. Here are two tips I have when it comes to hiring:

‍The first is that you don't necessarily want to hire the “brilliant jerk.” You may be tempted to hire these types of people because they are incredibly talented and smart, which is exactly what you need in a security hire—but don't do it. It's just as important to find people that fit your team culture and work effectively as a team as they are smart.

‍Second, hire people who are extremely curious and show that they’re interested in continuous learning. If you think about the cybersecurity space, it's constantly evolving—so it's critical to find people who have a natural curiosity and can keep up with the evolution of the cybersecurity landscape.

Step 5: Foster a security-conscious culture

It’s important to establish a security-aware culture that exists not only within your security team, but that also extends across the entire organization. While security will be part of your team’s day-to-day, it’s everyone's responsibility to protect your organization.

‍Our team plays a key role in shaping our security culture which is rooted in trust, transparency, and continuous improvement. Every team member, from leadership to new hires, understands the critical role they play in maintaining a secure environment. Through regular training, open communication, and proactive engagement, we can ensure that security is not just a policy but a core value embedded in our daily operations.

‍For more insights about how to set up your first security program, watch our on-demand Security at Every Stage webinar.

Cloud Incident ResponseRisk ManagementSecurity GuidanceTransitioning to the cloud

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Download the Guide to AI Governance & Risks
Register for the Zero Trust Summit 2024
Download: AI in Medical Research
Trending This Week
#1 How to Earn the Certificate in Cloud Security Knowledge (CCSK)
#2 The 6 Phases of Data Security
#3 CSA STAR Level 2: STAR Attestations and Certifications
#4 Fully Homomorphic Encryption vs. Confidential Computing
#5 Machine Learning for Threat Classification
Enhance your cloud security skills with CSA's online training options.
Related Articles:
What are the Benefits of a Social Engineering Campaign?

Published: 09/25/2024

What is the CSA STAR Program? An Intro for Beginners

Published: 09/24/2024

AI Regulation in the United States: CA’s ADMT vs American Data Privacy and Protection Act

Published: 09/24/2024

8 Ways to Reduce Data Storage Costs

Published: 09/24/2024