Building A New Cybersecurity Program From Ground Up
egrizzly
Member Posts: 533 ■■■■■□□□□□
Hi y'all,
For you folks that have done this before (or know of people that have done it) what is the most effective or easiest resource to build a cybersecurity program from the ground up specifically for a company with less than 1000 employees. If you know of an effective resource that applies to companies of all sizes please share as well. As always, thanks in advance for the participation, engagement, and tips.
btw, I did research through Google and found the links below but they seem to be more of summarizations and opinions.
-- Link1 >> https://www.lbmc.com/blog/build-cybersecurity-program/
-- Link2 >> https://blog.rsisecurity.com/how-to-build-an-information-security-plan-for-your-small-business/
eg
For you folks that have done this before (or know of people that have done it) what is the most effective or easiest resource to build a cybersecurity program from the ground up specifically for a company with less than 1000 employees. If you know of an effective resource that applies to companies of all sizes please share as well. As always, thanks in advance for the participation, engagement, and tips.
btw, I did research through Google and found the links below but they seem to be more of summarizations and opinions.
-- Link1 >> https://www.lbmc.com/blog/build-cybersecurity-program/
-- Link2 >> https://blog.rsisecurity.com/how-to-build-an-information-security-plan-for-your-small-business/
eg
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Tagged:
Comments
-
scasc
Member Posts: 465 ■■■■■■■□□□
Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
egrizzly
Member Posts: 533 ■■■■■□□□□□
scasc said:Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info.
You bake awesome cake @scasc. Actually having the standards frameworks to build of is awesome.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
scasc
Member Posts: 465 ■■■■■■■□□□
No problem - let us know if you need anything else. Frank Kim from SANS posted a great link on this.egrizzly said:scasc said:Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info.
You bake awesome cake @scasc. Actually having the standards frameworks to build of is awesome.
https://www.frankkim.net/blog/how-to-make-sense-of-cybersecurity-frameworks
Check it out.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
egrizzly
Member Posts: 533 ■■■■■□□□□□
Great. much gratitude buddy.B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
scasc
Member Posts: 465 ■■■■■■■□□□
No worriesAWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
-
egrizzly
Member Posts: 533 ■■■■■□□□□□
The interesting thing too is that in a modern metropolitan area this can probably be done using a simulated or mock office of 100, 500, or 1000 employees, etc., since the baseline security posture is typically the same for the most part for businesses of those sizes in that type of location (modern city).B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
-
veritas_libertas
Member Posts: 5,746 ■■■■■■■■■■
We used the CIS 20 Critical Controls as a framework to guide our security program development. It's worked well and maps easily to other frameworks.
