Whiteboard Wednesday:

Maturing Your Information Security Program

March 06, 2019

In this week’s Whiteboard Wednesday, Christy Draicchio, Advisory Services Consultant, walks you through the steps needed to improve your information security program. Beginning with getting buy-in from your executive team, each step is detailed and broken down for you. Learn the best ways to approach challenges you may face as you grow the program.

Video Transcript

Hi, everyone. Welcome to this week's Whiteboard Wednesday. I'm Christy Draicchio, and I'm a member of the security advisory services team here at Rapid7. Today, we are going to discuss some steps you can take to help mature your information security program. As a first step, you are going to want to gain management buy-in from your executive team and board of directors. Management buy-in is key in supporting your information security program. The best way to gain this support is to present information security in terms of business risk. Help your executive team understand the impact to the business if a significant security incident were to occur or a specific security threat not be addressed.

Show more Show less


Next, you are going to want to define information security policies and develop various programs, such as your asset management, vulnerability management, log monitoring, and incident response strategies. These programs will draw heavily on your information security resources, so that is something that needs to be considered as these programs continue to be developed. The budgetary people and technology resources you need will be significantly easier to obtain if you have already achieved management support.


Once your program has been defined and controls have been implemented, you should consider assessing your program against an established security framework or control set, such the NIST cybersecurity framework, the CIS Critical Security Controls, or ISO 27001. From your assessment, you will recognize gaps in your program and areas where improvement is needed. Develop a plan of action for the future. Define a roadmap for the next one to three years that includes specific projects and timelines, whether it's developing a vendor management program or implementing a multifactor authentication solution or something else. Control implementation, assessment, and planning for the next phase should become a cyclical process. As your program progresses, look to include repeatable processes and automation within your control set. This will help your organization move up the security maturity ladder.


Lastly, an important step that you should integrate into your security maturity journey is building awareness and incorporating a security culture within your organization's business culture. In addition to management, end users should be aware of the changes being made, how changes will affect them, and why these changes or controls are being implemented. It should be clear that security is everyone's responsibility. To enlist our help with any of these steps, visit us at rapid7.com/contact. That's it for this week's Whiteboard Wednesday. We'll talk to you next time.

Cybersecurity Maturity Assessment

Optimize your security program to align with industry best practices.

Learn More

Advisory Services

Gain security resiliency.

Learn More