establishing a cybersecurity program

I don’t recall where I found this graphic, but at least it has citation on it. I liked it enough to keep it, and just wanted to move it out from my personal notes into here.

I do like these steps, though obviously there are plenty ways to tackle this problem. And if someone needs or needs to show some sort of process/plan, this makes a good pragmatic start.

One thing I would change on this is to make sure this isn’t like a 1-year process right here. I feel like steps need to be taken pretty quickly to start *doing* something and getting some output and value. For example, Step 7 shouldn’t be waiting for earlier steps to develop. Step 7 should strive to start as soon as positive movement can be achieved. Early, easy wins, or foundational pieces.

I also prefer to think in terms of maturity levels based on some sort of model. I think that’s what is meant here by tiers. That is just a difference in preferred terminology.

Leave a Reply

Your email address will not be published. Required fields are marked *