Elements of a Good Infosec Program

Some are more advanced / comprehensive than others so keep that in mind.

I’ve been interviewing candidates lately helping clients fill information security leadership roles. Sometimes when I need to baseline the candidate, I’ll ask them to list for me all the elements of a good information security program, or variations thereof.

So here’s a quick list of elements of a good infosec program, in no particular order. Some are more advanced / comprehensive than others so keep that in mind.

  • Infosec Policies and Governance

  • Bug Bounty Program

  • SAST / DAST Checking

  • Secrets Management

  • OKR’s

  • Endpoint Security

  • Incidence Response Plan (Calling this out outside of Policies above because it’s often missed. If you had nothing, I’d rather you had a good IR plan than a bunch of template policies no one has looked at. Want next level? Do some tabletop exercises. /rant )

  • Security Awareness Program

  • Email and Phishing Protection

  • Disaster Recovery Plan

  • Security Operations

  • Security Architecture

Ok, there you go. It’s not a super comprehensive list, it’s 80% of it at least. Just a quick brain dump of items off the fly at 10pm at night!

Have an awesome week!