Presented at the http://ideafest2020.org/ conference on April 21, 2020

1. © Halfaker and Associates, LLC
Lessons Learned Building an
Enterprise Security Program
April 21-22, 2020
Michael King

2. Protected 2
 Context
 Create a Program, not a Binder
 Select Security Control Framework(s)
 Define Outsourcing Philosophy
 Design the Process Architecture
 Prioritize Investments
 Select Tech Stack
 Design and Build the Team
 Manage and Communicate Risk
 Accelerate your InfoSec Program
 Lessons We Learned
Agenda

3. Protected 3
Context: About Halfaker
 Halfaker and Associates (Halfaker,
www.halfaker.com) is a midsize
company, headquartered in Arlington
 Halfaker creates, modernizes,
integrates, and secures mission
critical systems for Federal
Government organizations
 Halfaker is a fast-growing, midsize
organization
 Because of our support of Federal
Government organizations, we have
many Information Security
compliance requirements
(e.g. NIST 800-171, DoD CMMC,
VA 6500, CMS ARS 3.1)
Building an Enterprise Security Program
Context: About Me
 I’m a fan of certifications: PMP, PMI-
ACP, SAFe® SA, ITIL
 Want to follow up?
– michael.king@halfaker.com
– @mikehking (Twitter)
– https://www.linkedin.com/in/mikehking
 Halfaker CIO and
CISO / Formerly with
Lockheed Martin
 Own IT, Information
Security, and
Process/Quality at
Halfaker

4. Protected 4
Create a Program, not a Binder
Do not think about an Information Security Program as just a set of policies, or just a stack
of technologies! A comprehensive InfoSec program must have all these components:
An InfoSec program is never “done” – think continuously not just on running the program
(e.g. updating risks, reviewing SIEM dashboards), but also identifying where to invest in
improvements (e.g. identifying holes or adding layers of ‘defense in depth’ maturity)
Building an Enterprise Security Program
Component Description Example Artifact(s)
Governance
and Strategy
How the program is monitored,
improved upon, and resourced (e.g.
budgeted)
 ISMS Manual
 Security Program Charter
 Roadmap
 Goals and Metrics
Policies and
Processes
Defines how the program is executed
 Process Architecture
 Traceable, comprehensive policies and processes
Technology Tools and systems used
 System Architecture
 Service Catalog
People
Employees, partners, and vendors,
and how they are organized/allocated
 Defined roles and responsibilities

5. Protected 5
Select Security Control Framework(s)
 There are many mature InfoSec
Frameworks – do not try to create your
own
 Two framework types:
– Program: Assess your InfoSec program
(e.g. NIST CSF (see below), ISO 27001)
– Controls: Baseline of implementation
controls (e.g. ISO 27002, NIST 800-53,
PCI, HIPAA)
 Ideally, select a primary program
framework and then a primary controls
framework, and align with those
 Consider using on an industry-specific
framework (e.g. Healthcare using
HITRUST, DoD Contractors using CMMC)
Building an Enterprise Security Program

6. Protected 6
Select Security Control
Framework(s) (continued)
 If you don’t know where to
start, start with CIS Top 20
(see Slide 9), then NIST CSF
(most popular + free)
 Don’t start with a fancy
Governance, Risk, and
Compliance (GRC) tool –
start with a spreadsheet to
identify posture (see
https://info.expel.io/expel-self-
scoring-tool-for-nist-csf)
 Your Security Processes
should align with, and be
traceable,
to your Security
Framework(s)
Building an Enterprise Security Program

7. Protected 7
Define Outsourcing Philosophy
Decide your organization’s philosophy on Insourcing vs. Outsourcing
how you design and execute your InfoSec Program
Building an Enterprise Security Program
 Virtual CISO (vCISO) to
provide strategic direction
 Security Program Policy
Templates
 Managed Security Service
Provider (MSSP)
 Lean team to set strategy,
maintain expertise
 Complement team with
services like SOC as a Service
and/or Managed Detection and
Response (MDR)
Outsource Hybrid Insource
 Hire an InfoSec lead
(e.g. CISO or Dir, InfoSec)
 Manage a suite of
best-in-breed technologies
 Establish and staff a Security
Operations Center (SOC)
Where is your organization
on this spectrum?

8. Protected 8
Design the Process Architecture
 Be intentional with the design of your process architecture – start lean and think about
the hierarchy of manuals, policies, and procedures, and how they are organized
 Consider investing in a template package, for example:
– https://certikit.com/products/cyber-essentials-toolkit/
– https://certikit.com/templates/iso-27001-toolkit/)
Building an Enterprise Security Program
Governance
• Security Charter
• Roles and Responsibilities
• Strategic Plan and Roadmap
• Risk Management Procedure
• Communication Plan
• POA&M Plan
Policies
• Acceptable Use Policy
• Social Media Policy
• Mobile Device Policy
• Teleworking Policy
• HR Security
• Asset Security and Access Control
Operations
• Monitoring Procedures
• Supplier Evaluation Program
• Event Identification and
Management Procedure
• Incident Response Plan (IRP)
Consider drawing your process asset structure out, like an
org chart, to visualize the areas and design for future
enhancements. Align with your primary framework(s) ▼
ISMS Manual

9. Protected 9
Prioritize Investments: CIS Controls (Top 20)
Building an Enterprise Security Program

10. Protected 10
Prioritize Investments: Build Backlog based on Needs (See Example)
Building an Enterprise Security Program
1. Know what you have
(Spreadsheet or CMDB of
equipment and applications)
2. Vulnerability Management
3. Define roles/responsibilities
4. Pick primary framework and
assess current posture
5. Identify your top business risks
6. Multi-Factor Auth. for all Admins
7. Anti-Virus and Endpoint Encrypt.
8. Firewalls and Intrusion Detection
9. Audit logging and E-Discovery
10.Security awareness training
11.Identify gaps and track POA&Ms
12.Practice Incident Response
1. Secure Email Gateway
2. MFA for all users
3. Eliminate shared accounts
4. Log Analysis, SIEM, CASB, User
Behavior Analytics, Data Loss Prevention
5. Establish Single Sign On (SSO)
6. Cloud Access Security Broker
7. Establish Sec. Ops Center / MSSP
8. Establish governance committee and
change mngmt. board
9. Persistent VPN and Block USB
10.Practice Disaster Recovery
11.Move your compliance matrix from
spreadsheet to GRC tool
1. Use tools like MITRE ATT&CK
and OWAP Cyber Defense
Matrix to inform your backlog of
future improvements
2. Improve risk communication
3. Web Filtering/DNS Protection
4. Conduct pen tests
5. Conduct tabletop exercises
6. Identity Governance &
Administration (IGA) solution
(automate provisioning)
7. Key/Secrets Management
8. Conduct threat hunting
9. Mature Forensics capabilities
Build the Foundation Mature Build Layered Defense

11. Protected 11
Building an Enterprise Security Program
Select Tech Stack
 Determine your philosophy:
– Do you want simplicity
(e.g. fewer systems, SaaS)?
– Or do you want more control/
flexibility (e.g. best-of-breed
systems, hosted on-site,
highly-integrated systems)?
 Focus on improving areas of
weakness within your program/
infrastructure – do NOT listen to
sales pitches without thinking in
terms of your prioritized risks/issues
 If you’re early in your information
security maturity, focus on something
simple like your NIST CSF self-
assessment and attacking the red
areas

12. Protected 12
Select Tech Stack
 As you mature, consider investing time in assessing yourself against MITRE’s
ATT&CK™ (https://attack.mitre.org/), where you can assess your posture against 12
attack tactics, which decompose into 283 specific attack types
Building an Enterprise Security Program
Initial Access
(10 items)
Execution
(33 items)
Persistence
(58 items)
Privilege
Escalation
(28 items)
Defense
Evasion
(63 items)
Credential
Access
(19 items)
Discovery
(20 items)
Lateral
Movement
(17 items)
Collection
(13 items)
Command
and Control
(21 items)
Exfiltration
(9 items)
Impact
(16 items)
ATT&CK™ Matrix for Enterprise ▼

13. Protected 13
Design and Build the Team
 Consider your insourcing/outsourcing approach
 Early in an organization’s growth, they will likely dual-hat someone to own and
oversee security, such as the IT leader
 As an organization scales, they’ll need a head of security (e.g. CISO)
 Determine how you want to structure your security personnel:
– Centralized – enterprise-level, centralized function
– Decentralized – distributed security personnel in individual business units/locations
 As an organization scales, it should covers each of these security domains with
personnel expertise/responsibilities/ownership:
1. Governance, Risk, and Strategy – Policy, Compliance, Strategy, Risk, Awareness,
Business Continuity
2. Infrastructure Protection – Application security, data security, vulnerability management
3. Identity and Access Management – Identity Governance and Administration (IGA), Access
Management
4. Security Operations – Monitoring and Detection, Incident Response, Threat Hunting,
Vulnerability Assessment, Pen Testing, Red/Blue Teaming
5. Administrative Operations – e.g. Patch Management, System Administration, Change
Management, Provisioning
Building an Enterprise Security Program

14. Protected 14
Manage and Communicate Risk
 Iteratively identify, capture, analyze, & update risks (use business vocab, not IT vocab)
 Align budget requests and initiative selection/prioritization with risks to show business
value
 Do NOT use Fear, Uncertainty, and Doubt (FUD) – communicate in productive ways
 Communicate your program’s posture/areas of weaknesses, based on a framework
(e.g. CSF), and focus on threats/risks unique to your organization, not generic ones
 Partner with business leaders – the head of InfoSec (e.g. CISO / Dir Infosec) should
NOT own security risk, the business does, and the CISO helps facilitate/drive posture
improvements
 Your organization’s InfoSec risk exposure will never be zero!
Building an Enterprise Security Program
Current
Risk
Posture
Target
Risk
Posture
Low Maturity
InfoSec Program
High Maturity
InfoSec Program

15. Protected 15
Accelerate your InfoSec Program
1. Assess your organization against NIST CSF using Expel.io
scoring spreadsheet
 https://info.expel.io/expel-self-scoring-tool-for-nist-csf
2. Build a central spreadsheet/database of all the equipment
and software your organization owns/manages (or update it)
3. Enable MFA everywhere you can
4. Teach your employees to be suspicious
5. Separate admin access from your user accounts
6. Reduce/eliminate shared accounts (e.g. laptop login, email accounts)
7. Consider buying Information Security policy template package, such as
https://certikit.com/products/cyber-essentials-toolkit/
8. If you use cloud infrastructure (e.g. AWS, Azure), use configuration monitoring
services, such as AWS Trusted Advisor or Cloud Security Posture Management
solutions like , such as https://cloudcheckr.com/
9. Consider investing in consulting/services (e.g. MSSP) to help you understand your
gaps/blind spot and prioritize how you’ll improve
Building an Enterprise Security Program

16. Protected 16
Lessons We Learned
1. Don’t confuse compliance and ‘real’ security – they’re related,
not the same
2. Information Security is a fast-moving domain – don’t feel
overwhelmed or depressed by your current gaps,
focus on making a map/list and prioritizing it
Building an Enterprise Security Program
3. “Step back” and look at all your possible areas for improvement and
intentionally prioritize/stack-rank them based on attacking your most
significant risks (not just what the industry says it the most important things,
but the most important thing based on your business model)
4. Don’t chase the ‘shiny new technologies’ – the fundamentals of security
are hard to do, and without them, the new things are irrelevant
5. Focus on the business risks – the InfoSec leader/team does NOT own
information security risk, the business does!
– Talk to business executives about their concerns and priorities, align with those!
– Partner with business leaders, don’t try to take on their infosec risks

17. Protected 17
Questions?
Slides will be published to https://www.slideshare.net/mikehking/
Want to follow up?
michael.king@halfaker.com
@mikehking (Twitter)
https://www.linkedin.com/in/mikehking