How to Start a Security Program

How to Start a Security Program

By Steve Gold
Posted in Security
On April 04, 2023

Security: the final frontier.

These are the safeguards of the CIS Critical Security Controls.

It’s ongoing mission:

  • To protect organizations,
  • To seek out security gaps and misconfigured systems,
  • To boldly go where few security professionals have gone before.

Hi, I’m Steve Gold. Cybersecurity Practice Director for Gotham Technology Group and a little bit of a closet Trekkie. I’ve spent my career working for organizations that truly help people. From Wyse Technology, which minimized endpoint management, securely delivered applications / desktops, and reduced carbon footprint; to the last five years at the Center for Internet Security helping organizations baseline and enhance their cyber security posture.

Throughout my career, the #1 question I hear related to security is “Where do I start?" Simple question, right? Not so easy to answer. Starting, or even baselining a security program can be quite a daunting task. With so much information out there, how do you know what’s right and more importantly, what’s right for you and your organization? My former colleagues, Tony Sager and Sean Atkinson talk about the “fog of more”. More options don’t mean better options, it just means more. In most cases, it slows down and complicates the decision making process. Some conflate a security program with compliance frameworks, certifications, or even flashy TLAs (three letter acronyms). In most cases, those paths will not get you to where you want to be.

There must be a better way! If only someone could create a prescriptive, prioritized, and simplified set of best practices to defend against the most prevalent threats.

Well, ask and ye shall receive. Meet the CIS Critical Security Controls (aka CIS Controls). The CIS Controls are just that. A prescriptive, prioritized, and simplified set of best practices to defend against the most prevalent threats. This is what I’ll be discussing over the next many blog posts, and this is how you start a security program.

Each week I’ll provide information on each of the 153 Cyber Defense Safeguards that make up the 18 CIS Controls. I’ll be starting with the 56 Safeguards that are part of Implementation Group 1 (IG1). You’ll get the Control, Safeguard, Implementation Group, CIS definition of the Control/Safeguard, and some thoughts on the importance and impact of mitigation. If you don’t know what IG1 is, keep on reading and all your questions will be answered.

Steve Gold

Steve Gold

Steve Gold is Gotham’s Cybersecurity Practice Director. During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies, including Dell and VMware. His expertise includes Cloud Computing, Channel Development, Territory Management, and Government Sales. For the past decade, Steve focused on helping State, Local, and Educational organizations secure their data and worked to assist them in implementing technology solutions that address their major business challenges.