Security Programs
Strategic¶
Starting a Security Program¶
| Link | Description |
|---|---|
| Cloudflare Startup Security: Starting a Security Program at a Startup |
|
| Early Security for Startups | What should a startup without a security team do for security? |
| Startup Security 2.0 | The definitive guide to security at hyper growth startups, by someone who lived to tell the tale ![]() |
| The SOC2 Starting Seven | 7 things you can do now that will simplify SOC2 for you down the road while making security posture materially better in the immediacy |
| magoo Starting Up Security: From Scratch | It’s important to start a program with a consensus on the wide view of risks and threats |
| Starting a Security Program from Scratch (or re-starting) |
|
| 10 Things Your First Security Hire Shouldn’t Do |
|
| Startup security starter pack | A collection of resources to help you get started with security at your startup |
| High Leverage Security Decisions | Essential security strategies for early-stage startups to minimize risks while facilitating smoother audits |
| Checklists |
Scaling Up¶
| Link | Description |
|---|---|
| An opinionated guide to scaling your company's security | Clint's talk summarising approaches from multiple companies |
| How to 10X Your Security | Distill tips / insights from talks, blog posts, tools, and in-person conversations |
| How to 10X Your Cloud Security (Without the Series D) |
|
| Phil Venables Delivering Security at Scale: From Artisanal to Industrial | It is vital to move from individual artisanal excellence to scale your security program with a relentless approach of progressively industrializing every part of your program |
| Career Longevity & "The Don't Fire Me Chart" | To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this is also a space where there is often impatience to get results fast ![]() |
Frameworks¶
| Link | Notes |
|---|---|
| NIST Cybersecurity Framework | ![]() |
| Equifax Controls Framework | Equifax has released an open-source controls framework that provides security guidance for cloud-native applications |
| OWASP SAMM | An effective and measurable way for you to analyze and improve your secure development lifecycle |
| Data Security |
|
Tactical¶
Practical¶
| Link | Description |
|---|---|
| Phil Venables Security Program Tactics |
|
| Phil Venables Prioritizing Security Improvements - A Deceptively Simple Way |
|
| The Path to Zero Touch Production |
|
| magoo Securing Customer Support | |
| The Copenhagen Book | A general guideline on implementing auth in web applications |
Selling Security Internally¶
| Link | Description |
|---|---|
| Phil Venables Ceremonial Security and Cargo Cults | Over time many important risk mitigations become ceremonies. This blunts the effectiveness of the controls and in some cases outright perverts the original intent so that the control is not only ineffective but is actually counter-productive |
| Phil Venables Incentives for Security: Flipping the Script |
|
| Phil Venables Slipstreaming : Business Tactics for Security & Control Implementation | Use new projects and enhancements as opportunities for improvement |
| Phil Venables Scenario Planning - The Best Technique You Might Not Be Using | Macro scenarios are useful to shape your broader strategy and prepare you to respond to the worst case by pre-planning what triggers to look for |
| Phil Venables Return on Investment for Security | Follow the money to actual accounting entries |
| Phil Venables Simple Ways to Communicate Successes | All risk programs, but especially security, have the issue that success is often silent and failure is highly visible |
| Phil Venables Managing a quarterly security review | A general meeting structure:
|
| Build the security you expect |
|
| Don't Security Engineer Asymmetric Workloads |
|
Metrics¶
| Link | Description |
|---|---|
| Phil Venables Principles for Cybersecurity Metrics |
|
| Phil Venables Security Programs - A Plan is Not a Strategy | You might find the following goals in a strategy:
|
| Phil Venables You Only Get 3 Metrics - Which Ones Would You Pick? |
|
| Phil Venables The Leading Indicators of a Great Info/Cybersecurity Program | It's not always possible to deeply assess organizations. However by looking for these leading indicators you can get some sense of security intent and focus |
| Phil Venables Career Longevity & The Don't Fire Me Chart | One of the more common patterns of security program success vs. failure is how much leadership is prepared to stick with the work over the long term. Transitioning to a more defensible security architecture requires persistence, engagement, and leadership commitment over several years, perhaps longer |
| Scorecarding Security | Lessons from prominent public reports of Scorecarding in security programs |
| Scale Security Programs with Scorecarding | How companies like Netflix, Chime, GitHub, and DigitalOcean use scorecarding to distribute security ownership, drive continuous improvement, and align risk management with business goals |
| How to create (and share) good cybersecurity metrics | |
| 12 incident response metrics your business should be tracking |
|
Culture¶
| Link | Description |
|---|---|
| Netflix Culture | |
| Phil Venables Security Leadership: A-grades vs. Pass/Fail | The ability to know what needs to be done really well vs. what needs to be simply ok |
| Phil Venables Organizational Politics | You need to know how to work this in a positive way for the benefit of your program |
| Phil Venables Relationship Management for the InfoSec Program | Adopt your own CRM & Build an Alignment Matrix |
| Challenges in Security Engineering Programs |
|
| Security is not the department of “No”; it’s the department that gets told “No” | Explaining why security is not, in fact, a department of “No” (never has been, and never will be), what it is instead, and what the future is likely to hold |
Budgeting / Vendors¶
Budgets¶
| Link | Description |
|---|---|
| Phil Venables Why Cybersecurity Budget Benchmarks are a Waste of Time |
|
| Phil Venables Security Budgets - Supply and Demand Thinking | Think of security budgeting as a supply and demand problem. Work both supply and demand to make your budgeting process a risk management exercise |
Vendors¶
| Link | Description |
|---|---|
| Phil Venables Dealing with the Deluge of Vendors | A few filters to get you to a pre-shortlist of vendors to explore |
| Trust but test: Vendor security testing at Canva | How Canva validates vendor security by going beyond compliance |
| Implementing CNAPP: Key Considerations for Success | Key considerations to keep in mind when selecting a Cloud-Native Application Protection Platform (CNAPP) |
| Security is a Renewals Problem | How to negotiate with the vendors you already have |
| Refocusing Vendor Security on Risk Reduction |
|
Hiring¶
Teams¶
| Link | Description |
|---|---|
| Phil Venables Building Balanced Security Teams: The Rule of Thirds | Specialists vs Advisors vs Operational |
| Phil Venables The Actual Cybersecurity Workforce Challenge |
|
| Phil Venables Cybersecurity Workforce Development - Updated |
|
| Phil Venables Conducting Security Interviews | How to conduct better interviews:
|
| How to hire and build your cybersecurity team | Six "green flags" to look out for when hiring and building cybersecurity teams that truly make an impact |
Building a Product Security Team
- When does it make sense to build a Product Security team? What types of “security person” do you hire first? What do they work on?
- The different archetypes you will hire into a Product Security program
| Archetype | Description |
|---|---|
| LEADERSHIP | Leadership pushes security into the mainline culture |
| CONSULTANT | Holding impressive communication skills, this role is proactively invited to join discussion by product teams (useful on a project level as opposed to driving the whole culture) |
| BUILDER | The true software engineer with long term plans to eliminate risk |
| BREAKER | An adversarial mind who is optimized to violate your expectations of security |
| FIXER | This engineer lives for troubleshooting critical bugs, owning the commit, and shepherding the short term fix |
| SPECIALIST | for those few extra-significant risk areas |
| PROGRAM MANAGER |
C-Levels¶
| Link | Description |
|---|---|
| magoo Hiring the CSO | |
| magoo You don’t need a Chief Security Officer | |
| Phil Venables Essential Attributes of Security Leadership | Archeologist vs Cartographer vs Explorer vs Librarian vs Historian vs Anthropologist |
| Phil Venables CISO / Cybersecurity Leader Job Description | Based on a framework of Mission, Objectives and Competencies |


