Skip to content

Security Programs

Strategic

Starting a Security Program

Link Description
Cloudflare Startup Security: Starting a Security Program at a Startup
  1. Relationships
  2. Security Culture
  3. Compromise and Continuous Improvement
Early Security for Startups What should a startup without a security team do for security?
Startup Security 2.0 The definitive guide to security at hyper growth startups, by someone who lived to tell the tale
The SOC2 Starting Seven 7 things you can do now that will simplify SOC2 for you down the road while making security posture materially better in the immediacy
magoo Starting Up Security: From Scratch It’s important to start a program with a consensus on the wide view of risks and threats
Starting a Security Program from Scratch (or re-starting)
  • Phase 1 - Face the Right Direction
    • Step 1: Put Someone in Charge
    • Step 2: Establish a Governance / Oversight Process
    • Step 3: Conduct a Critical Systems Security / Breach Test
    • Step 4: Act on High Risk Results Immediately
  • Phase 2 - Cover the Basics
    • Step 5: Conduct a Broad Security Review vs. Expected Controls (Defend in Depth)
    • Step 6: Develop a Multi-Stage Implementation Plan to Close Gaps
    • Step 7: Select Managed Services Providers to Help
    • Step 8: Build a Team
  • Phase 3 - Make it Routine
    • Step 9: Program Manage Your Enhancements
    • Step 10: Establish Continuous Risk Assessment and Control Monitoring
    • Step 11: Increase Resilience and Plan for Bad Days
    • Step 12: Put on Some Hedges
  • Phase 4 - Make it Strategic
    • Step 13: Align with Business Objectives
    • Step 14: Support your Customers / Extend your Products
    • Step 15: Improve the Team / Skills
    • Step 16: Do Red Team Exercises and Adversarial Testing
10 Things Your First Security Hire Shouldn’t Do
  1. Don’t run a public bug bounty
  2. Don’t run internal red team assessments or pentests
  3. Don’t run bespoke trainings
  4. Don’t set up hamster wheels of toil
  5. Don’t gatekeep security from the folks who were already doing the work
  6. Don’t miss the mark on communicating upwards and outwards
  7. Don’t fail to prepare for hiring
  8. Don’t fight every fire
  9. Don’t ignore security domains
  10. Don’t start big engineering projects
Startup security starter pack A collection of resources to help you get started with security at your startup
High Leverage Security Decisions Essential security strategies for early-stage startups to minimize risks while facilitating smoother audits
Checklists

Scaling Up

Link Description
An opinionated guide to scaling your company's security Clint's talk summarising approaches from multiple companies
How to 10X Your Security Distill tips / insights from talks, blog posts, tools, and in-person conversations
How to 10X Your Cloud Security (Without the Series D)
  • Build guardrails, establish invariants, offer secure defaults, and kill areas of risk - don’t add to dashboards full of problems
  • IAM, Vulnerability Management, and Detection Engineering are prime candidates for limitation to desirable security
  • Collect the minimum viable data to inform investments and report upwards & outwards
  • Philosophy
    • Do things that don’t scale, automate as much as possible to scale
    • High-signal, low-noise tools and alerting
    • Guardrails, not gatekeepers
    • Security as partnership. Embed security in development process
    • Tools devs can build, others can operate
Phil Venables Delivering Security at Scale: From Artisanal to Industrial It is vital to move from individual artisanal excellence to scale your security program with a relentless approach of progressively industrializing every part of your program
Career Longevity & "The Don't Fire Me Chart" To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity. The trouble is this is also a space where there is often impatience to get results fast

Frameworks

Link Notes
NIST Cybersecurity Framework
Equifax Controls Framework Equifax has released an open-source controls framework that provides security guidance for cloud-native applications
OWASP SAMM An effective and measurable way for you to analyze and improve your secure development lifecycle
Data Security

Tactical

Practical

Link Description
Phil Venables Security Program Tactics
  • Increase Risk Transparency & Accountability
  • Raise the Baseline by Reducing the Cost of Controls
  • Create More Defensible & Resilient Architectures
  • Increase Risk Workforce Productivity
  • Operate Threat Intelligence & Large Scale Hunting
Phil Venables Prioritizing Security Improvements - A Deceptively Simple Way
  1. When you are upgrading controls you want to focus on the Most Critical assets and all the assets (application, systems, etc.) that are being built anew or being upgraded anyway
  2. Work to reduce the amount of The Rest
The Path to Zero Touch Production
  • Slides from a talk that shares a theory of how to incrementally and collaboratively move a cloud-native organization to Zero Touch Prod
  • JIT Cloud Access
magoo Securing Customer Support
The Copenhagen Book A general guideline on implementing auth in web applications

Selling Security Internally

Link Description
Phil Venables Ceremonial Security and Cargo Cults Over time many important risk mitigations become ceremonies. This blunts the effectiveness of the controls and in some cases outright perverts the original intent so that the control is not only ineffective but is actually counter-productive
Phil Venables Incentives for Security: Flipping the Script
  • Don’t just focus on security
  • Focus on tail risks
  • Deliver real and big enough savings
  • Improve measurable customer experience
  • Address status-quo disincentives
Phil Venables Slipstreaming : Business Tactics for Security & Control Implementation Use new projects and enhancements as opportunities for improvement
Phil Venables Scenario Planning - The Best Technique You Might Not Be Using Macro scenarios are useful to shape your broader strategy and prepare you to respond to the worst case by pre-planning what triggers to look for
Phil Venables Return on Investment for Security Follow the money to actual accounting entries
Phil Venables Simple Ways to Communicate Successes All risk programs, but especially security, have the issue that success is often silent and failure is highly visible
Phil Venables Managing a quarterly security review A general meeting structure:
  • Assurance: How do our existing mitigations look?
  • Projects: How have ongoing projects gone?
  • New assurances: Do we change how we track existing mitigations?
  • New projects: What do we build next?
Build the security you expect
  • Instead of arguing with product builders about why security is important, reframe and instead suggest they build the security they would expect
  • "Should we encrypt that thing?""Would you expect that thing to be encrypted if it was your data?"
Don't Security Engineer Asymmetric Workloads
  • Asymmetric workloads are the double edged sword of force multiplier roles
  • Examples of developers imposing asymmetric work on Security

Metrics

Link Description
Phil Venables Principles for Cybersecurity Metrics
  • Outcome Bias
  • Longevity and Accuracy
  • Focus on Purpose not Rewards
  • Utility Focus
  • Efficiency
  • Expertise Proximity
  • Assume Gaming
  • Directional Consistency
  • Use a Metrics Taxonomy
Phil Venables Security Programs - A Plan is Not a Strategy You might find the following goals in a strategy:
  • Risk Transparency and Fast Feedback
  • Raise the Baseline by Reducing the Cost of Control
  • Architect to Defeat Whole Classes of Attacks
  • Make the Secure Path the Easiest Path - Shift Down and Shift Left
  • 10X Workforce Productivity
  • Continuous Control Monitoring
  • Focus on Risks to Commercial Objectives - Seek Commercial Benefits
Phil Venables You Only Get 3 Metrics - Which Ones Would You Pick?
  • High Assurance Software Reproducibility
  • Cold-Start Recovery Time
  • Data Governance Coverage
Phil Venables The Leading Indicators of a Great Info/Cybersecurity Program It's not always possible to deeply assess organizations. However by looking for these leading indicators you can get some sense of security intent and focus
Phil Venables Career Longevity & The Don't Fire Me Chart One of the more common patterns of security program success vs. failure is how much leadership is prepared to stick with the work over the long term. Transitioning to a more defensible security architecture requires persistence, engagement, and leadership commitment over several years, perhaps longer
Scorecarding Security Lessons from prominent public reports of Scorecarding in security programs
Scale Security Programs with Scorecarding How companies like Netflix, Chime, GitHub, and DigitalOcean use scorecarding to distribute security ownership, drive continuous improvement, and align risk management with business goals
How to create (and share) good cybersecurity metrics
12 incident response metrics your business should be tracking
  • Mean Time to Detect (MTTD)
  • Mean Time to Acknowledge (MTTA)
  • Mean Time to Contain (MTTC)
  • Mean Time to Respond (MTTR)
  • Mean Time to Patch (MTTP)
  • Mean Time to Resolve (MTTR)
  • Mean Time to Recovery (MTTR)
  • System availability
  • Mean Time Between Failures (MTBF)
  • Service-level agreement (SLA) compliance
  • Incidents over time
  • Issue classification analysis

Culture

Link Description
Netflix Culture
Phil Venables Security Leadership: A-grades vs. Pass/Fail The ability to know what needs to be done really well vs. what needs to be simply ok
Phil Venables Organizational Politics You need to know how to work this in a positive way for the benefit of your program
Phil Venables Relationship Management for the InfoSec Program Adopt your own CRM & Build an Alignment Matrix
Challenges in Security Engineering Programs
  • Challenge 1: Hiring
  • Challenge 2: Relearning software engineering lessons
  • Challenge 3: Hammer & Nail
  • Challenge 4: Engineering Disconnect
Security is not the department of “No”; it’s the department that gets told “No” Explaining why security is not, in fact, a department of “No” (never has been, and never will be), what it is instead, and what the future is likely to hold

Budgeting / Vendors

Budgets

Link Description
Phil Venables Why Cybersecurity Budget Benchmarks are a Waste of Time
  • Security needs to be centered on outcomes
  • Compare based on an agreed upon taxonomy
  • Align incentives
Phil Venables Security Budgets - Supply and Demand Thinking Think of security budgeting as a supply and demand problem. Work both supply and demand to make your budgeting process a risk management exercise

Vendors

Link Description
Phil Venables Dealing with the Deluge of Vendors A few filters to get you to a pre-shortlist of vendors to explore
Trust but test: Vendor security testing at Canva How Canva validates vendor security by going beyond compliance
Implementing CNAPP: Key Considerations for Success Key considerations to keep in mind when selecting a Cloud-Native Application Protection Platform (CNAPP)
Security is a Renewals Problem How to negotiate with the vendors you already have
Refocusing Vendor Security on Risk Reduction
  • Understand data flows
  • Define access
  • Configure auditing
  • Lock down integrations
  • Harden with security guides

Hiring

Teams

Link Description
Phil Venables Building Balanced Security Teams: The Rule of Thirds Specialists vs Advisors vs Operational
Phil Venables The Actual Cybersecurity Workforce Challenge
  • Secure Products not Security Products
  • Developer Tooling, Toolkits and APIs
  • Embedded Responsibility
  • UX / Design Improvements
Phil Venables Cybersecurity Workforce Development - Updated
  • Cyber-workforce productivity
  • Embedding security responsibility in other teams
  • Embedding security training in other education programs
  • Cybersecurity is not the only technology/business risk
  • Discover latent talent
Phil Venables Conducting Security Interviews How to conduct better interviews:
  • Curiosity
  • Influence
  • Moral Courage and Calmness
  • Persistence
  • Collaboration
  • Critical and Logical Thinking
  • Broad Technical Understanding
  • Organization Specific Culture Assessment
  • Strategic Mindset
  • Team Building
How to hire and build your cybersecurity team Six "green flags" to look out for when hiring and building cybersecurity teams that truly make an impact
Building a Product Security Team
  • When does it make sense to build a Product Security team? What types of “security person” do you hire first? What do they work on?
  • The different archetypes you will hire into a Product Security program
Archetype Description
LEADERSHIP Leadership pushes security into the mainline culture
CONSULTANT Holding impressive communication skills, this role is proactively invited to join discussion by product teams (useful on a project level as opposed to driving the whole culture)
BUILDER The true software engineer with long term plans to eliminate risk
BREAKER An adversarial mind who is optimized to violate your expectations of security
FIXER This engineer lives for troubleshooting critical bugs, owning the commit, and shepherding the short term fix
SPECIALIST for those few extra-significant risk areas
PROGRAM MANAGER

C-Levels

Link Description
magoo Hiring the CSO
magoo You don’t need a Chief Security Officer
Phil Venables Essential Attributes of Security Leadership Archeologist vs Cartographer vs Explorer vs Librarian vs Historian vs Anthropologist
Phil Venables CISO / Cybersecurity Leader Job Description Based on a framework of Mission, Objectives and Competencies