2. Protected 2
Context
Create a Program, not a Binder
Select Security Control Framework(s)
Define Outsourcing Philosophy
Design the Process Architecture
Prioritize Investments
Select Tech Stack
Design and Build the Team
Manage and Communicate Risk
Accelerate your InfoSec Program
Lessons We Learned
Agenda
3. Protected 3
Context: About Halfaker
Halfaker and Associates (Halfaker,
www.halfaker.com) is a midsize
company, headquartered in Arlington
Halfaker creates, modernizes,
integrates, and secures mission
critical systems for Federal
Government organizations
Halfaker is a fast-growing, midsize
organization
Because of our support of Federal
Government organizations, we have
many Information Security
compliance requirements
(e.g. NIST 800-171, DoD CMMC,
VA 6500, CMS ARS 3.1)
Building an Enterprise Security Program
Context: About Me
I’m a fan of certifications: PMP, PMI-
ACP, SAFe® SA, ITIL
Want to follow up?
– michael.king@halfaker.com
– @mikehking (Twitter)
– https://www.linkedin.com/in/mikehking
Halfaker CIO and
CISO / Formerly with
Lockheed Martin
Own IT, Information
Security, and
Process/Quality at
Halfaker
4. Protected 4
Create a Program, not a Binder
Do not think about an Information Security Program as just a set of policies, or just a stack
of technologies! A comprehensive InfoSec program must have all these components:
An InfoSec program is never “done” – think continuously not just on running the program
(e.g. updating risks, reviewing SIEM dashboards), but also identifying where to invest in
improvements (e.g. identifying holes or adding layers of ‘defense in depth’ maturity)
Building an Enterprise Security Program
Component Description Example Artifact(s)
Governance
and Strategy
How the program is monitored,
improved upon, and resourced (e.g.
budgeted)
ISMS Manual
Security Program Charter
Roadmap
Goals and Metrics
Policies and
Processes
Defines how the program is executed
Process Architecture
Traceable, comprehensive policies and processes
Technology Tools and systems used
System Architecture
Service Catalog
People
Employees, partners, and vendors,
and how they are organized/allocated
Defined roles and responsibilities
5. Protected 5
Select Security Control Framework(s)
There are many mature InfoSec
Frameworks – do not try to create your
own
Two framework types:
– Program: Assess your InfoSec program
(e.g. NIST CSF (see below), ISO 27001)
– Controls: Baseline of implementation
controls (e.g. ISO 27002, NIST 800-53,
PCI, HIPAA)
Ideally, select a primary program
framework and then a primary controls
framework, and align with those
Consider using on an industry-specific
framework (e.g. Healthcare using
HITRUST, DoD Contractors using CMMC)
Building an Enterprise Security Program
6. Protected 6
Select Security Control
Framework(s) (continued)
If you don’t know where to
start, start with CIS Top 20
(see Slide 9), then NIST CSF
(most popular + free)
Don’t start with a fancy
Governance, Risk, and
Compliance (GRC) tool –
start with a spreadsheet to
identify posture (see
https://info.expel.io/expel-self-
scoring-tool-for-nist-csf)
Your Security Processes
should align with, and be
traceable,
to your Security
Framework(s)
Building an Enterprise Security Program
7. Protected 7
Define Outsourcing Philosophy
Decide your organization’s philosophy on Insourcing vs. Outsourcing
how you design and execute your InfoSec Program
Building an Enterprise Security Program
Virtual CISO (vCISO) to
provide strategic direction
Security Program Policy
Templates
Managed Security Service
Provider (MSSP)
Lean team to set strategy,
maintain expertise
Complement team with
services like SOC as a Service
and/or Managed Detection and
Response (MDR)
Outsource Hybrid Insource
Hire an InfoSec lead
(e.g. CISO or Dir, InfoSec)
Manage a suite of
best-in-breed technologies
Establish and staff a Security
Operations Center (SOC)
Where is your organization
on this spectrum?
8. Protected 8
Design the Process Architecture
Be intentional with the design of your process architecture – start lean and think about
the hierarchy of manuals, policies, and procedures, and how they are organized
Consider investing in a template package, for example:
– https://certikit.com/products/cyber-essentials-toolkit/
– https://certikit.com/templates/iso-27001-toolkit/)
Building an Enterprise Security Program
Governance
• Security Charter
• Roles and Responsibilities
• Strategic Plan and Roadmap
• Risk Management Procedure
• Communication Plan
• POA&M Plan
Policies
• Acceptable Use Policy
• Social Media Policy
• Mobile Device Policy
• Teleworking Policy
• HR Security
• Asset Security and Access Control
Operations
• Monitoring Procedures
• Supplier Evaluation Program
• Event Identification and
Management Procedure
• Incident Response Plan (IRP)
Consider drawing your process asset structure out, like an
org chart, to visualize the areas and design for future
enhancements. Align with your primary framework(s) ▼
ISMS Manual
10. Protected 10
Prioritize Investments: Build Backlog based on Needs (See Example)
Building an Enterprise Security Program
1. Know what you have
(Spreadsheet or CMDB of
equipment and applications)
2. Vulnerability Management
3. Define roles/responsibilities
4. Pick primary framework and
assess current posture
5. Identify your top business risks
6. Multi-Factor Auth. for all Admins
7. Anti-Virus and Endpoint Encrypt.
8. Firewalls and Intrusion Detection
9. Audit logging and E-Discovery
10.Security awareness training
11.Identify gaps and track POA&Ms
12.Practice Incident Response
1. Secure Email Gateway
2. MFA for all users
3. Eliminate shared accounts
4. Log Analysis, SIEM, CASB, User
Behavior Analytics, Data Loss Prevention
5. Establish Single Sign On (SSO)
6. Cloud Access Security Broker
7. Establish Sec. Ops Center / MSSP
8. Establish governance committee and
change mngmt. board
9. Persistent VPN and Block USB
10.Practice Disaster Recovery
11.Move your compliance matrix from
spreadsheet to GRC tool
1. Use tools like MITRE ATT&CK
and OWAP Cyber Defense
Matrix to inform your backlog of
future improvements
2. Improve risk communication
3. Web Filtering/DNS Protection
4. Conduct pen tests
5. Conduct tabletop exercises
6. Identity Governance &
Administration (IGA) solution
(automate provisioning)
7. Key/Secrets Management
8. Conduct threat hunting
9. Mature Forensics capabilities
Build the Foundation Mature Build Layered Defense
11. Protected 11
Building an Enterprise Security Program
Select Tech Stack
Determine your philosophy:
– Do you want simplicity
(e.g. fewer systems, SaaS)?
– Or do you want more control/
flexibility (e.g. best-of-breed
systems, hosted on-site,
highly-integrated systems)?
Focus on improving areas of
weakness within your program/
infrastructure – do NOT listen to
sales pitches without thinking in
terms of your prioritized risks/issues
If you’re early in your information
security maturity, focus on something
simple like your NIST CSF self-
assessment and attacking the red
areas
12. Protected 12
Select Tech Stack
As you mature, consider investing time in assessing yourself against MITRE’s
ATT&CK™ (https://attack.mitre.org/), where you can assess your posture against 12
attack tactics, which decompose into 283 specific attack types
Building an Enterprise Security Program
Initial Access
(10 items)
Execution
(33 items)
Persistence
(58 items)
Privilege
Escalation
(28 items)
Defense
Evasion
(63 items)
Credential
Access
(19 items)
Discovery
(20 items)
Lateral
Movement
(17 items)
Collection
(13 items)
Command
and Control
(21 items)
Exfiltration
(9 items)
Impact
(16 items)
ATT&CK™ Matrix for Enterprise ▼
13. Protected 13
Design and Build the Team
Consider your insourcing/outsourcing approach
Early in an organization’s growth, they will likely dual-hat someone to own and
oversee security, such as the IT leader
As an organization scales, they’ll need a head of security (e.g. CISO)
Determine how you want to structure your security personnel:
– Centralized – enterprise-level, centralized function
– Decentralized – distributed security personnel in individual business units/locations
As an organization scales, it should covers each of these security domains with
personnel expertise/responsibilities/ownership:
1. Governance, Risk, and Strategy – Policy, Compliance, Strategy, Risk, Awareness,
Business Continuity
2. Infrastructure Protection – Application security, data security, vulnerability management
3. Identity and Access Management – Identity Governance and Administration (IGA), Access
Management
4. Security Operations – Monitoring and Detection, Incident Response, Threat Hunting,
Vulnerability Assessment, Pen Testing, Red/Blue Teaming
5. Administrative Operations – e.g. Patch Management, System Administration, Change
Management, Provisioning
Building an Enterprise Security Program
14. Protected 14
Manage and Communicate Risk
Iteratively identify, capture, analyze, & update risks (use business vocab, not IT vocab)
Align budget requests and initiative selection/prioritization with risks to show business
value
Do NOT use Fear, Uncertainty, and Doubt (FUD) – communicate in productive ways
Communicate your program’s posture/areas of weaknesses, based on a framework
(e.g. CSF), and focus on threats/risks unique to your organization, not generic ones
Partner with business leaders – the head of InfoSec (e.g. CISO / Dir Infosec) should
NOT own security risk, the business does, and the CISO helps facilitate/drive posture
improvements
Your organization’s InfoSec risk exposure will never be zero!
Building an Enterprise Security Program
Current
Risk
Posture
Target
Risk
Posture
Low Maturity
InfoSec Program
High Maturity
InfoSec Program
15. Protected 15
Accelerate your InfoSec Program
1. Assess your organization against NIST CSF using Expel.io
scoring spreadsheet
https://info.expel.io/expel-self-scoring-tool-for-nist-csf
2. Build a central spreadsheet/database of all the equipment
and software your organization owns/manages (or update it)
3. Enable MFA everywhere you can
4. Teach your employees to be suspicious
5. Separate admin access from your user accounts
6. Reduce/eliminate shared accounts (e.g. laptop login, email accounts)
7. Consider buying Information Security policy template package, such as
https://certikit.com/products/cyber-essentials-toolkit/
8. If you use cloud infrastructure (e.g. AWS, Azure), use configuration monitoring
services, such as AWS Trusted Advisor or Cloud Security Posture Management
solutions like , such as https://cloudcheckr.com/
9. Consider investing in consulting/services (e.g. MSSP) to help you understand your
gaps/blind spot and prioritize how you’ll improve
Building an Enterprise Security Program
16. Protected 16
Lessons We Learned
1. Don’t confuse compliance and ‘real’ security – they’re related,
not the same
2. Information Security is a fast-moving domain – don’t feel
overwhelmed or depressed by your current gaps,
focus on making a map/list and prioritizing it
Building an Enterprise Security Program
3. “Step back” and look at all your possible areas for improvement and
intentionally prioritize/stack-rank them based on attacking your most
significant risks (not just what the industry says it the most important things,
but the most important thing based on your business model)
4. Don’t chase the ‘shiny new technologies’ – the fundamentals of security
are hard to do, and without them, the new things are irrelevant
5. Focus on the business risks – the InfoSec leader/team does NOT own
information security risk, the business does!
– Talk to business executives about their concerns and priorities, align with those!
– Partner with business leaders, don’t try to take on their infosec risks
17. Protected 17
Questions?
Slides will be published to https://www.slideshare.net/mikehking/
Want to follow up?
michael.king@halfaker.com
@mikehking (Twitter)
https://www.linkedin.com/in/mikehking
Editor's Notes
Instructions:
Every presentation should have an agenda. Each item in your agenda must map to the title of the slides throughout the rest of your presentation. This will help to ensure that your briefing is intuitive and organized.
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed
Instructions:
Example of slide needing multiple levels of bullets
Grey subtitle text should be a subset of the overarching title slide and help the reader/audience easily see what is being discussed