I’ve been interviewing candidates lately helping clients fill information security leadership roles. Sometimes when I need to baseline the candidate, I’ll ask them to list for me all the elements of a good information security program, or variations thereof.

So here’s a quick list of elements of a good infosec program, in no particular order. Some are more advanced / comprehensive than others so keep that in mind.

• Infosec Policies and Governance

• Bug Bounty Program

• SAST / DAST Checking

• Secrets Management

• OKR’s

• Endpoint Security

• Incidence Response Plan (Calling this out outside of Policies above because it’s often missed. If you had nothing, I’d rather you had a good IR plan than a bunch of template policies no one has looked at. Want next level? Do some tabletop exercises. /rant )

• Security Awareness Program

• Email and Phishing Protection

• Disaster Recovery Plan

• Security Operations

• Security Architecture

Ok, there you go. It’s not a super comprehensive list, it’s 80% of it at least. Just a quick brain dump of items off the fly at 10pm at night!

Have an awesome week!