Starting a Security Program from Scratch: A Brutalist Approach

This guide outlines a plan for establishing a security program from the ground up, incorporating the principles of Security Brutalism. This approach emphasizes simplicity, clarity, and effectiveness, focusing on core security fundamentals while avoiding unnecessary complexity. It also provides a timeline and a runbook for execution.

This is just one approach. There’s no single perfect or universally best solution. You should tailor this guide to fit your organization’s needs, making adjustments as necessary.

Security Brutalism Principles Applied

Here's how we'll apply Security Brutalism to this program:

• Focus on Fundamentals: Prioritize essential security controls and practices over advanced or trendy solutions.
• Clarity and Transparency: Ensure that all security measures are well-documented, easily understood, and transparent to stakeholders.
• Simplicity: Avoid over-engineering or complex systems. Opt for straightforward solutions that are easier to manage and maintain.
• Effectiveness: Prioritize security measures that provide the greatest risk reduction for the effort invested.
• Honesty and Pragmatism: Acknowledge limitations and focus on achievable goals rather than striving for unattainable perfection.
• Resilience: Build a security program that is resilient to change, adaptable to new threats, and able to withstand failures.
• Visibility: Implement monitoring and logging to provide clear visibility into the security posture of the organization.

Guide

Timeline

Here's a high-level timeline:

• Weeks 1-4: Assessment and Planning.
• Months 1-6: Foundational Security Controls.
• Months 6-12: Ongoing Security Management.

Phase 1: Assessment and Planning (Weeks 1-4)

Goal: Understand the organization's current state, define security goals, and create a roadmap.

Activities:

1. Stakeholder Identification and Engagement (Week 1):
• Identify key stakeholders (executives, department heads, IT, legal, etc.).
• Conduct initial meetings to understand their concerns, priorities, and expectations regarding security.
• Establish communication channels and reporting mechanisms.
2. Asset Inventory and Risk Assessment (Weeks 1-2):
• Identify and document all critical assets (data, systems, applications, infrastructure).
• Perform a risk assessment to identify potential threats, vulnerabilities, and their potential impact.
• Prioritize risks based on likelihood and impact.
• Use a simple risk matrix (e.g., High, Medium, Low) for clarity.
3. Define Security Goals and Objectives (Week 2):
• Based on the risk assessment, define clear, measurable, achievable, relevant, and time-bound (SMART) security goals.
4. Develop a Security Roadmap (Weeks 3-4):
• Create a phased plan outlining the steps to achieve the defined security goals.
• Prioritize quick wins and foundational elements.
• Include a timeline, resource allocation, and key performance indicators (KPIs).
• The roadmap should be simple, and focus on 3-6 month chunks.

Phase 2: Foundational Security Controls (Months 1-6)

Goal: Implement essential security controls to address the most critical risks.

Activities:

1. Security Policies and Procedures (Month 1-2):
• Develop clear, concise, and actionable security policies and procedures.
• Focus on essential areas such as: Acceptable Use Policy, Password Policy, Data Classification Policy, Incident Response Plan, and Vulnerability Management Policy.
• Keep documentation simple and avoid legal jargon.
2. Access Control (Months 1-3):
• Implement the principle of least privilege.
• Establish a robust identity and access management (IAM) system.
• Enforce strong password policies and multi-factor authentication (MFA).
• Regularly review and revoke access as needed.
3. Vulnerability Management (Months 2-4):
• Establish a process for identifying, assessing, and remediating vulnerabilities.
• Implement regular vulnerability scanning of systems and applications.
• Prioritize patching based on risk.
• Document exceptions and compensating controls.
4. Incident Response (Months 1-4):
• Develop a basic incident response plan.
• Ensure key personnel are aware of their roles in the event of an incident.
• Establish a communication plan.
• Conduct a tabletop exercise.
5. Security Awareness Training (Months 3-6):
• Conduct regular security awareness training for all employees.
• Focus on practical topics such as: phishing awareness, password security, data protection, and incident reporting.
• Keep training concise and engaging. Create realistic training based on actual attacks. Give horror stories and use code to show developers what can go wrong.

Phase 3: Ongoing Security Management (Months 6-12)

Goal: Continuously monitor, improve, and maintain the security program.

Activites:

1. Security Monitoring and Logging (Months 6-9):
• Implement security monitoring tools to detect and respond to security events.
• Establish a centralized logging system for security-relevant events.
• Regularly review logs and alerts.
2. Continuous Improvement (Months 9-12):
• Regularly review and update security policies and procedures.
• Conduct periodic security assessments and audits.
• Track key performance indicators (KPIs) to measure the effectiveness of the security program.
• Adapt the program to address new threats and changes in the organization.
3. Third-Party Risk Management (Months 9-12):
• Identify and assess risks associated with third-party vendors.
• Implement controls to mitigate these risks.
• Establish a process for ongoing monitoring of third-party security.

Runbook

This runbook provides step-by-step instructions for implementing the security program. It is designed to be clear, concise, and easy to follow.

Phase 1: Assessment and Planning

• Week 1: Stakeholder Identification and Engagement
• Identify all relevant stakeholders (executives, department heads, IT, legal, etc.).
• Schedule initial meetings with each stakeholder group.
• Prepare a list of questions to understand their security concerns and priorities.
• Document stakeholder feedback and expectations.
• Establish a communication plan (frequency, channels, etc.).
• Weeks 1-2: Asset Inventory and Risk Assessment
• Create a comprehensive list of all organizational assets (hardware, software, data, etc.). Use existing documentation, automated discovery tools, and manual interviews.
• Categorize assets based on criticality (High, Medium, Low).
• Identify potential threats (internal, external, natural, etc.).
• Identify vulnerabilities that could be exploited by these threats.
• Assess the likelihood and impact of each risk.
• Prioritize risks using a simple risk matrix.
• Document all findings in a risk register.
• Week 2: Define Security Goals and Objectives
• Based on the risk assessment, develop SMART security goals.
• Ensure goals are aligned with business objectives.
• Document goals and objectives and get stakeholder buy-in.
• Weeks 3-4: Develop a Security Roadmap
• Create a phased plan to achieve the security goals.
• Outline specific activities, timelines, and resource requirements for each phase.
• Prioritize quick wins and foundational elements.
• Identify key performance indicators (KPIs) to measure progress.
• Document the roadmap and get stakeholder approval.

Phase 2: Foundational Security Controls

• Month 1-2: Security Policies and Procedures
• Identify essential security policies and procedures.
• Draft policies in clear, concise language. Try to keep them as one-pager policies.
• Get input from legal and HR departments.
• Publish policies and communicate them to all employees.
• Implement a process for policy review and updates.
• Months 1-3: Access Control
• Implement the principle of least privilege.
• Establish an Identity and Access Management (IAM) system: Choose an appropriate solution (cloud-based, on-premise, etc.), and configure user accounts, roles, and permissions.
• Enforce strong password policies: Minimum length, complexity requirements, and how often it changes.
• Implement multi-factor authentication (MFA) for critical systems.
• Establish a process for regular access reviews.
• Months 2-4: Vulnerability Management
• Establish a vulnerability management process: Identify and select vulnerability scanning tools, and schedule regular scans of systems and applications.
• Analyze scan results and prioritize vulnerabilities for remediation.
• Patch systems and applications according to the vulnerability management policy.
• Document exceptions and compensating controls.
• Months 1-4: Incident Response
• Develop an incident response plan.
• Identify roles and responsibilities.
• Establish communication channels.
• Define incident response procedures.
• Conduct a tabletop exercise to test the plan.
• Months 3-6: Security Awareness Training
• Develop a security awareness training program: Identify key topics (phishing, password security, data protection, etc.), and choose a training format (online, in-person, etc.).
• Conduct regular training sessions for all employees.
• Track employee participation and measure training effectiveness.
• Provide ongoing security awareness communications.

Phase 3: Ongoing Security Management

• Months 6-9: Security Monitoring and Logging
• Implement security monitoring tools: Select and deploy a SIEM or other monitoring solution. Begin to configure alerts for suspicious activity.
• Establish a centralized logging system: Collect logs from all relevant systems and applications, and ensure logs are stored securely and retained for an appropriate period.
• Regularly review logs and alerts, and implement automation to help sort critical alerts.
• Months 9-12: Continuous Improvement
• Regularly review and update security policies and procedures.
• Conduct periodic security assessments and audits: Internal or external audits, and penetration testing.
• Track key performance indicators (KPIs): Number of security incidents, time to detect and respond to incidents, and vulnerability remediation rates.
• Adapt the program to address new threats and changes.
• Months 9-12: Third-Party Risk Management
• Identify all third-party vendors.
• Assess the security risks associated with each vendor.
• Implement controls to mitigate these risks: Ask them for a threat model and the last five incidents and what they did to remediate them. Set contractual requirements, and conduct regular audits.
• Establish a process for ongoing monitoring of third-party security.

Key Performance Indicators (KPIs)

These are a few example KPIs that can provide insight into the program’s progress.

• Number of security incidents
• Time to detect and respond to incidents
• Vulnerability remediation rates
• Percentage of employees completing security awareness training
• Number of security policy violations
• Number of exceptions created
• Percentage of systems with MFA enabled

To Close

Following this plan and applying the principles of Security Brutalism enables organizations to build a robust and effective security program that safeguards their assets and aligns with their business goals.

After the program is up and running, it’s essential to regularly reassess and guard against unnecessary complexity. Security Brutalism emphasizes lean, efficient, and resilient security.