Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

How to Set Up Your First Security Program

Published 09/26/2024

How to Set Up Your First Security Program

Originally published by Vanta.

There's no one size fits all when it comes to setting up your organization’s first security program. Each organization has a unique set of business needs, guardrails to implement, and data it needs to protect, which is why it’s important to remember that every security program is going to look a bit different.

‍If you’re in the process of setting up your first security program, here are some steps I recommend you take and apply to your organization's unique needs.

Step 1: Understand your organization’s risks and your risk appetite

The first thing you should do is conduct an assessment of your organization’s risk. You can do this by interviewing stakeholders and the leadership team to get a sense of your organization’s risks as well as understand what data is important to the business and where that data lives.

‍In these conversations, you should also try to understand the organization’s risk appetite. You may find that your personal risk appetite may differ from that of the organization and your senior leaders. It’s important to find a middle ground and implement solutions that are both effective and secure while enabling the business to move forward.

Step 2: Implement essential security controls

Once you have a firm understanding of your organization’s risks, I recommend implementing some basic security controls your organization needs to protect itself. This includes controls like multi-factor authentication (MFA), conducting security awareness training, and endpoint detection. These baseline controls can get you far in your initial implementation. The 18 CIS Critical Security Controls (CIS Controls) is a great place to start.

‍If you want a more prescriptive set of security controls to implement based on your organization’s needs, choose a compliance framework to align with. Many organizations choose to get a SOC 2 report or get ISO 27001 certified as these cover a broad range of security controls that can be applied across different sectors. However, there may be a more applicable framework depending on the industry you're in—in this case, choose one that meets the standard for the industry you do business in.

Step 3: Develop an incident response plan

Many people make the mistake of waiting until all aspects of their initial security program are defined and in place before building out an incident response plan. You will have incidents and some of those may unfortunately be breaches. While these incidents are difficult to avoid, what matters is how you respond to them and that you have a process in place to take action as they arise.

‍Start by defining potential incidents and assigning them severity, identifying the right teams and stakeholders responsible for managing specific incidents, building a process for employees to declare incidents, and ensuring you have the right tools to address them. It’s also important to establish external communication guidelines in the event of a customer impacting incident.

‍Be sure not to overlook this as you build out those early pieces of your journey.

Step 4: Hire the right people

CISOs regularly talk about the types of people they come across when building out their teams. Here are two tips I have when it comes to hiring:

‍The first is that you don't necessarily want to hire the “brilliant jerk.” You may be tempted to hire these types of people because they are incredibly talented and smart, which is exactly what you need in a security hire—but don't do it. It's just as important to find people that fit your team culture and work effectively as a team as they are smart.

‍Second, hire people who are extremely curious and show that they’re interested in continuous learning. If you think about the cybersecurity space, it's constantly evolving—so it's critical to find people who have a natural curiosity and can keep up with the evolution of the cybersecurity landscape.

Step 5: Foster a security-conscious culture

It’s important to establish a security-aware culture that exists not only within your security team, but that also extends across the entire organization. While security will be part of your team’s day-to-day, it’s everyone's responsibility to protect your organization.

‍Our team plays a key role in shaping our security culture which is rooted in trust, transparency, and continuous improvement. Every team member, from leadership to new hires, understands the critical role they play in maintaining a secure environment. Through regular training, open communication, and proactive engagement, we can ensure that security is not just a policy but a core value embedded in our daily operations.

‍For more insights about how to set up your first security program, watch our on-demand Security at Every Stage webinar.

Share this content on your favorite social network today!