Security CareerSep 25, 2023
AmazonTeaSee
Strategic Roadmap
Joining a startup as a senior sec engineer and need to create a strategic plan. I’ve done them before utilizing Mitre but this needs to be more CISO focused, so visually appealing. Any tips on bigger picture initiatives and design?
New
TJsu48 Oct 5, 2023First, understand the business priorities. Do security program audit, review IT processes, review threat picture. If the company do not have security architecture, make one of current state and based on framework and business priorities make desired future state.
Solid answer
Start with a framework. Like NIST, ISO 27001, or CIS, or whatever compliance frameworks are relevant in your industry (FedRAMP, HIPAA, PCI, SOC 2). As disconnected as they are from day-to-day security practices, they still can provide a basic check-list of what your org should be doing and where to prioritize efforts in the development of a security roadmap. Though the security industry hasn't come to a consensus on how to measure security efficacy, measuring against a framework is generally agreed upon and easier to digest for senior management.