These are my top 10 key points to give to the top man when he asks you “what should we be doing in security?” and you only have a minute or two or you need a single slide on security for the CTO:
- Identify and understand your threats
- Reduce your attack surface
- Compartmentalise your important services
- Track assets and fix known vulnerabilities
- Teach people to write secure code
- Teach people to behave responsibly
- Audit these processes regularly
- Monitor for & detect intrusions
- Prepare for incident response
- Choose and measure security outcomes
The challenge is, there is a large volume of material needed to understand what they mean and why they matter and years of experience needed to truly understand how to deliver them.