Building relationships with your peers is a must, and this includes those on the executive team. You want to build the same rapport with your executive team as with your peers, so they too feel comfortable speaking with you. This is also the time to begin discussing their thoughts about what the security program was meant to do and what the original direction was. These discussions do not stop with the executive team; if you are able, have the same discussion with key stakeholders and the board of directors.

Without getting executive buy-in, your program may stall or go nowhere. There are many reasons for this; however, the first step is to determine what the business needs are and how executives see them being achieved. Many professionals want to come in and inflict change in the cybersecurity program right away – I would advocate against this, at least for a little while. The reason is that you must understand what is important to the business. Remember, you have to crawl before you can walk. Information technology and cybersecurity are no different in their approaches when determining the vision you and other executives have of the cybersecurity program.

Cost and budget are also key components of the program, but are not as important as getting executive buy-in. A new head of security or chief information security officer could come in, build out the plan, forecast the budget, utilize several free open source cybersecurity tools, and it could still go nowhere as the executive team has decided to not move forward. It did not stop because of the budget – that was just a component of it. The real issue is that your executive team does not accept the decisions or technology planned for implementation. This is why getting executive buy-in and having conversations regarding the cybersecurity program are so important.

Next, we can begin to build out a budget that makes sense to everyone. Whether it is five dollars or a million dollars, there are plenty of ways to secure the business; however, the direction you want to go in with the program is up to you.

A budget will make or break a department. Change my mind! That is a very true statement. Or is it? It is what you do with the budget you are given that will make or break a department. Organizations are hard-pressed to spend money on cybersecurity. Why? Because people think “It has never happened to us yet, so why should we bother?” or “We are too small to be a target.” However, mindsets are beginning to change. Many on the business side see cybersecurity or information technology as a sinkhole – one the business pours money into but never sees anything come of it. It is up to you to sell your ideas, get funding, and spend it accordingly.

Cybersecurity, however, is not something to take lightly or brush off as a second thought. States and the federal government are enacting breach notification laws for public and private sector organizations. Cyber insurance companies are serious, too, as they want to ensure their clients are performing their due diligence in reducing cyber risk across the organization. While not everything requires spending the business’s hard-earned money, certain aspects of cybersecurity do require funding.

Cybersecurity spending is also reaching all-time highs. Between 2021 and 2025, cybersecurity spending is expected to reach $1.75 trillion. According to Steve Morgan, founder of Cybersecurity Ventures, the market was only worth $3.5 billion in 2004 (Braue)[1]. That is a 500% increase (I am terrible at math). The Fog of More is a phrase characterized in cybersecurity as vendors trying to sell you the newest, shiniest blinky green and amber lights. How many of us have purchased new firewalls, only for them to collect dust? Better yet, how many of us have implemented firewalls with allow any/any/any rules? Don’t believe me? Performing a quick search on Shodan provides some disturbing statistics. For instance, there were over 286,000 results for open Telnet ports; VNC, almost 540,000 results; RDP, 582,000. These protocols, when exposed to the internet, increase the risk of your organization being attacked.

Not all vendors are bad; quite a few legitimately want to help. In the end, however, money talks. This is why it makes sense to rephrase “A budget will make or break your department ” to “ it is what you do with the budget that will define the department.” Do not let others fool you. You can churn out a robust security program without major funding.

Organizational technology stacks come in two different flavors, build and buy. While the build camp prefers to utilize as much open source technology and free utilities as possible, the buy camp wants to ensure that not only do they have support from a company, but they also have a single entity to blame if something goes wrong. While some concepts in this book will require a company to purchase some type of IT resource, this book is not centered on CapEx purchases. There are plenty of free, low-cost, or no-cost solutions out there if your team is willing to allocate the resources and time to learn about concepts and learn the skills of the trade.

For instance, begin developing your company’s vision, mission, and program charters. This will set the foundation for your program.

The vision of the office of information security is to secure the organization while making security a second thought.

Many organizations tend to throw technology at a problem, but is that the right solution? What is the goal of the company’s information security program? What will make you and your team stand out as a force for delivering top-notch security services? As a security leader, you must first understand where you are and where you want to go. If you do not have an end goal, how will you know how to get there?

A vision statement is a high-level description of how the program strives to achieve success. For instance, the preceding quote is a vision statement that could be used for a security department. It is intended to not only state the purpose of the department but the overall goal. A phrase I like to use for our security program is “Employees already think of cybersecurity as a second thought – I intend to keep it that way.”

Why is that statement important to me and our program? We want our security program to be as robust as possible and protect our systems and data while keeping our users safe. Information security should enable while making it easy for those who are not technically savvy. It should be as transparent as possible without always being in your face. Users should not have to read an entire manual to learn how to do their jobs, which are already tough without adding more layers on top.

The vision statement should depict what is most important to the department or organization. It should not be lengthy―only three sentences or fewer, but make it meaningful. It can be internal or external customer-facing, but make it a way of marketing yourself to others. As the security field is dynamic, a vision statement does not have to remain static and can evolve over time. One could write a vision statement and a few years down the line, decide to change it.

Here’s an example of a vision statement:

The Institute for Information Security & Privacy (IISP) at Georgia Tech is as an international leader in researching, developing, and disseminating technical solutions and policy about cybersecurity and privacy. We assemble strong, innovative, multi-disciplinary teams to address contemporary and future cybersecurity or privacy challenges faced by government, industry and individuals. Our graduates become leaders in government, scientific, industry and entrepreneurial communities.

—Georgia Tech University (https://www.scs.gatech.edu/research/institutes-centers)

There is no right way or wrong way to create a vision statement for your department. With one in place, however, it provides context for the goals and objectives that the department strives to achieve. It also shows that the department takes cybersecurity seriously in the types of services it will provide to its customers.

While vision statements are important for providing context for what the department strives to achieve, mission statements are equally as important. Mission statements depict why the department exists.

One may think, “Doesn’t a mission statement belong to the business?” While businesses have a mission statement, departments should have one too. Business-style mission statements articulate the purpose of the business/department or establishes the reason for their existence. Some famous mission statements include the following:

To bring the best user experience to its customers through its innovative hardware, software, and services.

—Apple (https://mission-statement.com/apple/)

To empower every person and every organization on the planet to achieve more.

—Microsoft (https://www.comparably.com/companies/microsoft/mission)

Accelerating the world’s transition to sustainable energy.

—Tesla (https://www.tesla.com/about)

What is your security department’s reason for existing? Is it to protect your organization’s sensitive data? Is it to thwart those who would do harm to your organization? How about securing and protecting the free flow of information across the world? I am sure we all have a back story as to why the newly minted cybersecurity manager or chief information security officer position opened at the company. What were the circumstances around your position being created? These questions do not necessarily have or need to have answers. They are there to help you decide how to construct a mission statement.

Before writing a mission statement, understand the culture and, again, what is important to the business. Write one, or a few, select the ones you like best, and then solicit feedback. If you are lucky and have a few security employees that work with you, get their feedback too or ask them to join in.

Mission statements, much like vision statements, are not long: maybe a sentence or two. However, it must have meaning and be celebrated as the crux of how the department will operate. It should motivate employees to do better and be better. The statement should also cause your customer base (others inside and outside the organization) to want to contact you when something is wrong―or right! On day one, a new employee should know and understand the department’s mission statement.

Mission and vision statements are great in that they highlight the department’s importance and reasons for being a crucial part of the organization. Program charters help bring everything together as they show what a department is responsible for.

What is your department responsible for? How will you go about setting policies for information technology and the rest of the organization? Does the department have oversight of how things are implemented, configured, and monitored? When establishing governance, the first thing people think of is building roles and responsibility matrices – responsible, accountable, consulted, and informed (RACI) charts, and the like.

While RACI charts, roles, and responsibility matrices tend to provide the who and the what, they do not provide much detail. Program charters are intended to help fill in those gaps. They can be written to provide as little or as much detail as possible to help define what those responsibilities are and their intended purpose. For instance, most information security departments act as advisors for the rest of the information technology department. In this scenario, security has oversight of all aspects of information technology, but security does not implement or configure the IT resource (because of the separation of duties).

Much like policies, standards, and procedures (which we will cover in Chapter 4), a program charter document should have the following sections:

Purpose

What is the purpose of the charter? What is it trying to convey to the reader? Are there specific questions that the charter is trying to answer?

Scope

Charters impact an organization in many ways. They can impact internal and external employees, third-party vendors, contractors, whole departments, or the organization. Who will be impacted when this charter is put into place?

Responsibilities

Much like a RACI chart, what is the security department instructed to do? What is it responsible for? This is where you set the stage for how the department will function. Will it have oversight of many different aspects of information technology and the rest of the organization?

Those responsible for the charter

The charter must have a stakeholder and an executive sponsor to sign off on it. The stakeholder should be the head of the department, whether that is the Chief Security Officer (CSO), Chief Information Security Officer (CISO), director of information security, or manager of information security. These are the individuals who will be making decisions about how they see their cybersecurity department operating. The executive sponsor, whether that is a Chief Information Officer (CIO) or Chief Executive Officer (CEO), must have the authority to sign off on the charter. Once the charter is officially signed off on, it will have the teeth necessary to carry out the charter and any other supporting documentation.

In the previous sections, we have discussed how the security department will achieve success, its importance to the organization, and what it will be responsible for. To build on those concepts, we will take it a step further to discuss initiatives, strategy, and what is important to you as a leader.

What are the key initiatives for your security program? What is the strategy you will set that will direct the security program over the next 3-5 years? While we will talk more about developing a strategy in the next two chapters, this is where we will set the stage for that vision. First, start off with two to five high-level categories that are important to you and then begin to drill down from there. Each subcategory gets more defined as we drill down. An example of this is found in the following graphic:

Figure 1.1 – Cybersecurity pillars

In Figure 1.1, the diagram depicts what could be important for your security program. Major high-level ideas spur off from the main topic: Governance, Defense In Depth, People, and Innovation. From the high-level categories, it begins to narrow down from strategic to tactical. For instance, Innovation drills down to Automation or Transparency and Defense in Depth drills down to Zero Trust, Securing the Edge, and Security Architecture and Operations.

The subcategories begin to drill down into specific concepts or technologies, but do not state which technologies are used. You should not have more than four subcategories from the main topic, but you can have as many or as few as needed to tell the story. This begins the development of the strategic vision you have for your department.

Figure 1.2 – Cybersecurity Defense in Depth pillar

The preceding figure depicts an expanded view of what defense in depth could look like. Starting with the main topic, Defense in Depth, we move toward the categories Zero Trust, Securing the Edge, and Security Architecture and Operations, followed by their respective subcategories.

Your first 90 days as a new manager, director, or CSO can be an exciting yet intimidating time. How will you get a budget for your program? How does executive management see information security? How will you develop a cybersecurity strategy? There are so many questions, yet few initial answers. Many come into the position and begin throwing technology at the problem, drowning in the Fog of More.

Remember, a security program is more than just technology; it also consists of people and processes. The key to getting started during your first 90 days is to understand the business, its processes, and how key stakeholders see the alignment of information technology and security to the business. Begin developing the department’s mission and vision statements and evangelize them throughout. Get others involved when creating these documents to gather their input and see what is important to them too.

As you have learned in this chapter, your first 90 days is also a time for creating new relationships with your coworkers. Relationships matter when it comes to information technology and security – make sure they are a priority. Eventually, you will have to work with colleagues from all different aspects of the business. Coworkers from finance, human resources, manufacturing, and other departments will have to be incorporated into your processes. Business continuity, incident response, and risk management are not information technology problems; they are business problems. As such, personnel from these departments need to be involved too.

We have now set the initial structure for the cybersecurity department, what is important, and why. In the next chapter, we will discuss the importance of a cybersecurity framework and its overall impact on the department and the organization. These two chapters help set the foundation you can begin to build a strategy on moving forward.

1. Braue, David. (2021, September 10). Global Cybersecurity Spending to Exceed $1.75 Trillion From 2021-2025. Cyber Crime Magazine. https://cybersecurityventures.com/cybersecurity-spending-2021-2025/