Building a Security Program: Start Small

Building a Security Program: Start Small

Your Security Team is trying to build tooling, awareness campaigns or processes to improve the security posture of your organizations and its products. How often does one of your projects or products fail or not have the impact you were hoping for? Are you trying to solve a problem for the whole organization in one sweep or are you starting small so that you can learn fast and gradually expand?

Big ambitious undertakings done in a traditional (Waterfall) way are more prone to failure. According to an AmbySoft survey conducted in 2013, traditional project management has a 15-20% higher chance of failure in schedule, budget or specification.

Rolling out a large blanket solution across an entire organization is rarely a simple linear problem to solve, but usually a complicated or complex set of problems that are interconnected. There is an unknown amount of uncertainty in both the effort needed to get it across the finish line as well as the impact the solution(s) will have.

More chance of success comes with a more lean approach, where you work the problem for a small subset of your organization. Doing this allows you a large amount of flexibility, agility and to learn about whether your hypotheses for solution(s) is correct.

Start by focussing your security program’s efforts for one team in your organization. Make use of ad-hoc and manual processes, workflows and tools while you learn. Then figure out how to automate your solutions for this one team. Then figure out how to scale those solutions to a few teams. Then to bigger units within your organization. Don’t try to solve problems for your entire organisation in one go, solve it for one team with scaling to your whole organisation in mind.

You will always have teams in your organisation that are willing to more closely collaborate with you, as they do value security more. If you’re struggling to identify early customers, start looking for teams that maintain highly security-sensitive, such as login/account functionality or payment-functionality, or teams that you already have a good relationship with.

About Koen Hendrix