Build a Security Program and Run It Like a Business

I recently finished the book “Traction” by Gino Wickman. Next to Scaling-Up by Verne Harnish, I think it is one of the most actionable business books I’ve ever read. Our team has informally adopted both books as part of the risk3sixty cannon. While the book is largely about building a great running business – I think a lot of the same lessons can be applied to building a well-oiled information security program.

If your security organization hasn’t formally adopted these action items – then you will probably get a lot of value out of reading “Traction”.

Does Your CISO Do This?

1 | Have you clearly defined roles and responsibilities within the security organization?
2 | Does each role owner have a specific set of objectives to accomplish this week, this quarter, this year?
3 | Do you have regular meetings to measure results and track progress against mission objectives?
4 | Have you established measurable KPIs (a scorecard) with defined owners within the security organization?
5 | Have you defined the security organization’s mission, core values, and vision?
6 | Does all of this align with the business’s objectives?

Battle Rhythm – Something You Can Start Today

If you haven’t done so already, working through the list above (in order) is worth the time and effort. For the average-sized security team, it might take 6 – 12 months to work out the kinks, but it will change the way your security team operates for the better. But one thing you can do today is establish an effective set of standing meetings to “operationalize” your security team.

Here is your new meeting cadence:


MEETING PURPOSE Review KPIs, Align on mission for the week, Discuss any immediate barrier
WHO SHOULD ATTEND The whole team (If more than 10, start sub-weekly meetings)
DURATION 60-90 minutes (ours is 60 minutes)
  • Review Scorecard (based on KPIs such as system up-time, vulnerabilities, remediation of issues, compliance, etc.)
  • Review to-do list from prior week. Only roll-forward items that are still a priority.
  • Specific tactical items that need to be done this week. Create a to-do list and assign ownership to each item.
  • Review any issues that are halting immediate progress. Add to the to-do list.


PURPOSE Review scorecard trend, Assess progress toward mission, Discuss any major changes
DURATION 2 – 8 hours (ours is 2 hours)
  • Review scorecard trend. Have you been hitting your numbers? Do the numbers need to be adjusted? What has been the impact?
  • Assess progress toward your annual mission. Are you on track?
  • Discuss any major challenges for the quarter (system changes, compliance initiatives, new hires, budget)
  • Review any issues that are halting immediate progress. Add to the to-do list and assign owners.
  • Take the team out for a nice meal after.


MEETING PURPOSE Set the mission/vision for the year, define goals, clarify roles, adjusts KPIs, how this all fits with the businesses objective
WHO SHOULD ATTEND The Management Team
DURATION (ours is usually 2.5 days of work, half day of fun)
WHERE Off-site, if possible
  • Review the businesses overall objective
  • Set and review the security team’s mission, objective, and values. They should support the business objective.
  • Set the budget, review all financials, anything that has to be reported to the business
  • Clarify roles and responsibilities
  • Set quarterly goals that align to annual objective. Assign owners to each goal.
  • Adjust KPIs to align to mission and goals. Define KPI reporting expectations.
  • Do something special with the team.

Let’s Get Started

If you or your team need help taking your security program to the next level, please contact us.

Share to


Share to

Like our content? Subscribe and stay informed.