Building your Security Program from the ground up

6 min readAug 11, 2020

For a lot of companies, especially startups, security isn’t the first role they hire for and their security program isn’t a focus in the beginning. That isn’t to say they aren’t secure or that the product they built isn’t secure but usually security programs and security hiring come later on in their journey.

I have been fortunate enough to work on a few security programs for large enterprises and have also built a few security programs from the ground up. I have also interviewed countless startups around their security as part of a vendor risk management program. So I wanted to share my thoughts on building your security program based off these experiences.

There are many ways to go about building your security program and there is no specific formula you should follow. It really depends on your company, its goals, its customer profile and your goals for your program.

Figure out what matters to your executives

Have you chatted with your CEO? What about your VP of Engineering/CTO, Head of Marketing, Head of Sales, Head of Product? Talk to your leadership and find out their near term as well as long term goals. If your Head of Sales really wants to go after the healthcare market that is a good thing to understand because you are going to have to put the governance and security controls in place to support that. A lot of times executives won’t have specific security goals because they don’t know much about security but they do have business goals. Business goals will help you develop your security strategy, roadmap and drive your hiring in different areas.

Remember, your security program is there to support the business not to constrain it so as you build it figure out how what you are building ties back into supporting the business, if it doesn’t then you shouldn’t be doing it.

Understand your customer profile

To build off of what the business needs you need to understand what your customers need. The needs of startups are much different than those of an enterprise customer. Are you going after certain highly regulated customers in finance or healthcare? Understanding what compliance and security controls you’ll need to meet for your customers is key to your security program.

Sit down and build a security report card

You don’t know where you need to invest your resources until you understand where you are at. Use this report card to inform your executives of where your company is security wise. Based off of your scores and your business goals use this to develop your security strategy and roadmap.

When i build this report card I focus on key categories:

General Security
IT Security (MDM, Endpoint Security, etc.)
Infrastructure / Cloud Security (Container Security, Automated Remediation, etc.)
Application Security (Peer reviewed merges, SAST
Network Security (Firewalls, IPS, Wireless Security, NAC, etc.)
Security Hygiene (Patching, Asset Management, etc.)
Security Awareness (Employee security training, Phishing tests)

I usually just do a 1–10 score for each question in the category, if you want to get really technical you can weight the questions based on importance but just getting this done and communicated is more important.

Security is an enabler for the business

Your job as leader of your security program is to enable the business to meet its goals in a secure manner. You are not the “no” person and you are not there to be a gatekeeper. So many security people and their security programs fail because they forget this simple truth. If you are seen as helpful and an enabler of the business you and your security program will be much more successful.

Our security team and program at Sigma Computing enables our business to securely operate, enables sales to sell to large enterprise and ensures we are meeting our regulatory and compliance obligations. We can do this because we have the backing of our executive team and we are seen as enablers, not blockers. We also have an amazing engineering culture that is focused on security which is key to our success.

Build the roadmap and strategy, then overly communicate it

One of the biggest frustrations other teams have with security teams is they don’t know what they are doing. They are viewed as the people that sit in the corner of the office and just come out to say no.

By laying out a roadmap that is tied to business goals and communicating it clearly people know what you are doing which means they will be more likely to support you.

Engage the Information Security community for help

The security community has fantastic resources that allow you to engage with fellow Infosec Professionals. Join a security Slack, meetup at a citysec (when it is safe to do so), go to BSides, join a security leadership group in your area. I highly recommenced you check out the Information Security Leadership Foundation (https://www.islf.foundation/). Also check out Security4startups (https://www.security4startups.com/).

Many of these folks have come across the same problems you have and have solved them. By engaging with these groups they give you new ideas around not only security but leadership, communication and organization. This has been one of the most important things for my learning as a security leader.

Explain the why

If you have to make impacting changes explain the “why” you are doing so. There is nothing more frustrating then having something impact you and not understand “why” this needed to be done. For example if you need to roll out MDM (Mobile Device Management) explain to your employee base the outcomes that you want in doing so. You want to ensure all your devices are encrypted, you want to be able to track stolen devices, you want to enforce good security hygiene around patching so you can answer security questionnaires for sales in the affirmative, etc. You’ll find that people become supportive of these solutions when they understand the why!

Customers, Employees and then the Business

Protect your customers interests first, your employees next and your business last. This seems like it is maybe backwards and I’m sure some people will disagree with me but hear me out. Sometimes your business will want to do things that aren’t in the best interests of your customers, say release a new feature that hasn’t been properly tested to get it out the door which could expose your customers to security risk. In this case you have to be the customer advocate and fight for the customer’s interest over the business interest of releasing the feature. Without customers you have no business and without smart employees who feel secure your business can’t operate so that is why these two groups come before the business.

There are also some anti-patterns that I have seen in the security space so I want to call those out as well.

A SOC 2 does not mean you are secure

So many companies, especially startups, tell me that they have their SOC 2 so they have good security. If you look at most of the recent breaches at startups, especially the ones that had simple mistakes like an open ElasticSearch cluster or an open storage bucket, they had their SOC 2. It has gotten so bad I find them mostly pointless to gauge their security and just move on to interviewing them about their security. That isn’t to say your company shouldn’t get their SOC 2 as most companies want to see it but it isn’t a good gauge of security (it’s like the CISSP).

Don’t chase the shiny, focus on outcomes

There are so many companies in the security space that want to sell you the next solution that will “solve all your security issues” and we as security practitioners get caught up in it. There is a new tool that looks really cool that we want but is it right for your business, is it the right time? Shift away from the tool and focus on the outcome you want.

In closing remember to build your security program to enable the business securely. People will see you and your program as helpful rather than a blocker which will allow you to accomplish your goals.