Whether you are creating a new program, modernizing a current one, or just working diligently to continue to keep security lean and ahead of the bad guys, having a simple way to explain what and how we need to do security is a priority. There are some helpful laws and principles that can guide us as we build the program, however finding a simple philosophy to jump-start the process and help steer the strategy is often more confusing and harder.
I have used the items below several times with good success. These are not static and most likely will change in the near future, but it's a good start.
Quality Is Better
Have a small team of capable security professionals being used as force multipliers. We have the responsibility of protecting the business and our core assets.
Simplify the use and understanding of security. Making security have a clear purpose and function.
Focus On Security Risk
Create security solutions that enable us and our partners to mitigate security risk. Provide education and a clear risk communication to leadership and help employees become security force multipliers.
Shrink The Tech
Reduce the complexity of having many vendors by focusing on key pieces of technology that give the biggest bang for the money.
Develop, Test, And Constantly Improve Security
We need to plan for the most obvious security issues, and the worse case scenarios as well. Stress testing the plans is a must, however those plans need to be fluid and agile, allowing for real life to be factored in. Constantly revisit the plans and procedures.