When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving into the immediate and very specific things that need improving. Here are 5 of those I’ve found useful or have seen over the years in various companies (large and small) and various contexts (public and private). This is not an exhaustive list.
Increase Risk Transparency & Accountability. Fundamental, but not easy - something that is a constant work in progress for all. This includes maintaining a catalog of risks, controls that mitigate those, and subjecting those to continuous automated verification. Establish a formal risk appetite protocol for determining who at what level of the organization can endorse a residual risk. Converge management of different risks e.g. improvements in SDLC has intrinsic benefit to security, resilience can reduce attack blast radius etc. Increase the velocity of the find risk --> fix risk flow. Use inherent risk reduction as a tactic – in other words try risk avoidance in addition to applying controls, for example, how about not capturing or keeping sensitive data you don’t actually need. Reducing the inherent risk in business and IT processes often has adjacent commercial benefits (in fact, finding these benefits can be the major drive to achieving the de-risking objective) & further increases efficiency by reducing number of deployed controls.
Raise the Baseline by Reducing the Cost of Controls. If controls can be widely embedded, easily deployed, autonomously managed, made cheap(er), have reduced negative externalities & bring adjacent non-security benefits then you can apply them more at diminishing cost. The trope of don’t spend more on controls vs. the financial risk of a potential loss breaks down when deploying the controls is cheaper than doing the risk assessment to decide if you should deploy the controls in a specific place (discounted of negative externalities).
Create More Defensible & Resilient Architectures. Obvious, right? But easier said than done. Minimize attack surfaces, architect for lower blast radius, implement “zero trust” whatever you take that to mean. Replace explicit-deny with explit-permit across software execution, data flow and connectivity – and remember that the graph you end up building to encode these relationships/flows is perhaps your biggest asset (it’s graphs all the way down these ways). Architect defensible business processes as well as tech. Your business process controls can provide major lines of defense. Another reason security teams should intimately know your business processes (upstream to customers & downstream to the supply chain).
Increase Risk Workforce Productivity. For every unit spent on trying to hire & train more security professionals invest 10x of that in increasing the productivity of the people you already have. It will also help retain them as they’ll be doing higher quality jobs. Apply this to all that interact with security, make the secure path the easiest path, use UX/usability in systems – esp. customer facing – as a control to influence secure behaviors. Automation/skills density across the enterprise is more important than numbers of people.
Operate Threat Intelligence & Large Scale Hunting. Constantly scale up and speed up the intelligence, hunt and defense OODA loop. Disturb the economics of attackers, study their evolving TTPs not just attack specific IOCs & aim to neutralize whole classes of attacks.
Bottom line : focus on tactical goals (get stuff done!) not solely on grand strategy but devote time to some meta-objectives that directs how these tactics build more lasting effects - esp. efforts to commoditize controls so you can put them in more places at less cost.