Chapter 6. Step 3: Use the Four Cornerstones to Lay the Foundation of Your Program

Step 1 focused on the value of relationships and getting to know your organization, its people, and culture. Step 2 was a necessary process of calibrating yourself to align with the company’s prevailing culture toward information security. Both steps are about getting to know others and making the internal adjustments within yourself to calibrate your approach to security, so that you can give your company the security department it wants from you.

This chapter covers the work of putting pen to paper and establishing what I like to refer to as the cornerstones upon which the early years of your program will be built. For steps 1, 2, and 3, you don’t need to hire anyone. All this work can be done by you alone.

The Four Cornerstones

With progress being made in steps 1 and 2, you can now turn to the actual work of building your cybersecurity program. There’s no time requirement for steps 1 and 2, so when you start on step 3 (the four cornerstones) will be dictated by your unique work situation. I do want to highlight that as you begin the work of the four cornerstones, you should never stop the work of building and maintaining relationships, and calibrating yourself to the company’s culture.

Let’s now look at these four cornerstones, the foundation of any InfoSec program:

  • Documentation

  • Governance structures

  • Security architecture

  • Communications

These four areas, along with relationships and alignment, ...

Get The Cybersecurity Manager's Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.