How to adjust the scope of your security program

When you bootstrap a security program, one of the initial concerns is that of scope. Scope determines which people, data and systems will be considered when assessing risk.

It might be tempting to include the company's whole IT infrastructure. But chances are you don't have a full-time security team in place, and the quantity of work might end up getting overwhelming.

If you're just getting started, you will benefit from having a smaller scope.

After all, you don't have all the time, money or human resources in the world. And since security is probably not at the core of your business, you'll want to focus your attention on what matters the most.

So how do you reduce scope? How do you make sure you are not wasting your time with unnecessary details? And how do you know you've included and considered every necessary asset?

Start with the obvious

There might be issues that are stressing you out. Or maybe they're stressing out some of your team members.

Write down all of these issues, and consider which assets are affected.

It won't be perfect, but at least you'll start addressing that worry. This will free some of your mental energy and make it available for other issues.

Eliminate unused components

If you have been operating for more than a few months, there might already be components of your systems that are not used anymore. You could add them to your inventory and keep track of them, or just take the steps to get rid of them.

There might be cost savings here, but this is also an opportunity to reduce complexity. If it does not exist, it won't be a source of worry.

Consolidate tools

The average startup uses more web-based software tools than they ever did. I heard recently that the number averaged to somewhere north of 80. Many of these tools have similar features, sometimes the exact same ones.

Look for ways to reduce the number of tools you use by standardizing what tools should be used to solve what problem.

Analyze systems from the inside-out

Imagine a set of concentric circles. The circle at the center represents your "crown jewels". That is, those assets that would put you out of business should they be compromised. Work your way slowly towards the outer circles, noting every system involved in the process. You might be surprised to find that many components of your systems are connected to each other.

Consider your threat model

Who or what are you protecting information from? If this includes adversaries, what are they after? What motivates them? You might find out that you have been putting effort into protecting something that is of no interest to your actual sources of threat, while the assets at risk are left unprotected.

Notice common mistakes

Is there a part of your system that is always responsible for bringing down production? Or that always needs another patch to make it work properly?

Sometimes we forget that availability is also a security property.

Start somewhere

You're better of with a smaller scope at first. This will make the effort more manageable and the small wins will encourage you to keep going. If you're still unsure of what that should be, then just pick a system, and start there.

Ignore the rest until you have some level of confidence that this particular scope has been taken care of.

In short, applying these heuristics will allow you to say, with confidence:

  1. We got started.
  2. We address our obvious areas of risk.
  3. We prioritize our most sensitive assets.
  4. We consider the threats that apply to us.
  5. We investigate failing systems.
  6. We consolidate our tools.
  7. We reduce our attack surface.

I hope you found this valuable

I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.