Building A New Cybersecurity Program From Ground Up

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
edited December 2020 in Cybersecurity Management
Hi y'all,

For you folks that have done this before (or know of people that have done it) what is the most effective or easiest resource to build a cybersecurity program from the ground up specifically for a company with less than 1000 employees.  If you know of an effective resource that applies to companies of all sizes please share as well.  As always, thanks in advance for the participation, engagement, and tips.

btw, I did research through Google and found the links below but they seem to be more of summarizations and opinions.
-- Link1 >> https://www.lbmc.com/blog/build-cybersecurity-program/
-- Link2 >> https://blog.rsisecurity.com/how-to-build-an-information-security-plan-for-your-small-business/

eg
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • scascscasc Member Posts: 461 ■■■■■■■□□□
    Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info. 
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    scasc said:
    Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info. 

    You bake awesome cake @scasc.  Actually having the standards frameworks to build of is awesome.

    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • scascscasc Member Posts: 461 ■■■■■■■□□□
    egrizzly said:
    scasc said:
    Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info. 

    You bake awesome cake @scasc.  Actually having the standards frameworks to build of is awesome.
    No problem - let us know if you need anything else. Frank Kim from SANS posted a great link on this. 

    https://www.frankkim.net/blog/how-to-make-sense-of-cybersecurity-frameworks

    Check it out.
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□

    Great. much gratitude buddy.
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • scascscasc Member Posts: 461 ■■■■■■■□□□
    No worries
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    The interesting thing too is that in a modern metropolitan area this can probably be done using a simulated or mock office of 100, 500, or 1000 employees, etc., since the baseline security posture is typically the same for the most part for businesses of those sizes in that type of location (modern city).
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    edited January 2021
    We used the CIS 20 Critical Controls as a framework to guide our security program development. It's worked well and maps easily to other frameworks.
Sign In or Register to comment.