How do you build an effective cybersecurity program? One would argue that it would take if you were starting from ground zero at least 2-3 years. One of the ways that you could get a good start is by looking at the standards.


All of the IT Auditing Standards- NIST, SOX, GLBA, HIPPA, PCI, COBOL, COSO, ISO talk about physical security. You start by building the program based on the industry standard that you are accountable for. If you are a financial firm then SOX, GLBA, PCI, COBOL may be a good starting point. If you are in healthcare, look at the HIPPA and Hi-Tech requirements.


The standards are a great starting point, but you must be flexible and realize that no program is perfect so due to budgetary or management decisions you will need to adapt your program to the actual business needs, and create compensating controls where you need to diverge from the standard. It’s important that Security enable the business.


We cannot be as Information Security Practitioners folks in an Ivory Tower simply creating DENY DENY Rules on Firewalls, we must promote the business profitability and stability and create workarounds, add compensating controls as I mentioned and find creative ways of security the network ie not giving away the farm while allowing the business to be productive.


Additionally, Security works best in layers. Defense in depth is critical to the security posture of any firm. A strong case can be made that Physical Security complements other strong technical and administrative controls. You need to look at Physical Security in the big picture view where it is an important part of the solution but not an end. That is how you build an effective Cybersecurity Program from the ground up beginning with Physical Security