Building Your Fortress: A Guide to Starting an Information Security Team

Data is now the lifeblood of any organization. Securing it has become not just a necessity, but a strategic imperative. This is where the information security (infosec) team steps in, acting as digital guardians.

Build such a team from scratch within a company is no small feat. The first part of that is really about human processes and feelings. This typically involves three main aspects:

1. Executive Buy-in: Secure the support of leadership. Clearly demonstrate the financial and reputational risks of cyberattacks and how a dedicated infosec team mitigates them.

2. Risk Assessment: Conduct a thorough assessment of your data assets, potential threats, and existing vulnerabilities.This creates a roadmap for your team's focus and resource allocation.

3. Defining Scope and Budget: Determine the initial size and capabilities of your team based on your company's size,needs, and budget. Prioritize roles critical to core security functions like network security, incident response, and security awareness.

The next piece is really about building the right team. They're going to have their work cut out for them, and if it's possible to find long-term fits, then they'll also have the responsibility of selecting the tools they have to implement and ultimately support. This includes:

1. Recruiting the Right Talent: Look for individuals with diverse skillsets across various infosec domains. Seek a balance between experience and fresh perspectives. Certifications like CEH, CISSP, and CISA can be helpful indicators, but prioritize real-world problem-solving abilities.

2. Structure and Synergy: I can't typically can't stand the term synergy. but it maes sense here. Design a team structure that fosters collaboration and clear communication. Consider sub-teams specializing in areas like endpoint security, vulnerability management, and threat intelligence. But try to align those with the needs and existing specialties within the organization.

3. Continuous Learning: Foster a culture of continuous learning and development. Encourage attending conferences,workshops, and professional training to keep the team updated on evolving threats and technologies.

The second part of building a security team is really about vendor selection. Some organizations will have the ability to implement open source toolchains - but most will just want to pay a vendor to stand up a stack of tools and support them. This will include

1. Get a Baseline: Start off deciding where the organization is at. Figure out an inventory of on prem assets, cloud services, and endpoints (be they at home or in the office). Also figure up how many switches, firewall, routers, apps, and other assets are out there and how they work. It's also a good idea to identify how physical access to all of this can be obtained. Keep in mind that everything seems "smart" at this point so a coffee maker with Wi-Fi suddenly means that coffee falls under the purvue of the infosec team!

2. Determine Complaince Needs: This is often best when looked at under the hood of a third party tool. If the organization needs to be SOC type 2, then a tool like Vanta might help figure out what all falls under that. It's also possible to look at everything in the baseline documentation and figure out how much work and what gaps there are (thus this is a lot of gap analysis). A baseline and a known security posture based on, at a minimum, compliance needs is key. But also go back to the risk assessment and decide if the organization wants to go above and beyond the checkbox nature of compliance!

3. Developing Security Policies: Implement clear and concise security policies covering areas like password management, data encryption, and acceptable use of technology. Ensure employee buy-in through awareness programs and training, but also that those policies match what can be verified using third party tools, or whether new tools will need to be built or bought. A lot of those policies will require a third party tool. The more that can be under the hood of a single vendor, the better (in some cases). Also when choosing those tools, don't forget that policies need to be verifiable - so for example, make sure that the SEIM or MDM can be integrated with a Vanta or another compliance tool.

4. Vulnerability Management: Employ tools and processes to regularly identify and patch vulnerabilities across your systems and network. Prioritize critical vulnerabilities based on potential impact and exploitability. This includes malware prevention, threat hunting, EDR, etc.

5. Incident Response Planning: Prepare for the inevitable. Develop a comprehensive incident response plan outlining roles, responsibilities, communication protocols, and incident containment procedures. Regularly test and refine this plan.

Once there's a plan, go back to the primary stakeholders that initiatied the creation of an information security discipline. Maintain open communication with them and all departments within the company, where possible. Educate employees about infosec best practices and empower them to report suspicious activity. That's an ongoing process - building a robust infosec program is an ongoing process, not a one-time event. Stay vigilant, adapt to evolving threats, and continuously optimize your security posture.

And don't forget to leverage technology! Explore the vast array of security tools and platforms available to automate tasks, gain insights, and streamline your team's operations.

So, take the first step today and build your digital fortress. Data, reputation, and the future probably depend on it.