Four Dimensions of Building a Security Program

This talk focuses on how to evaluate and think about designing your security program. It looks at several key areas and the bad metrics that can lead you astray as a business.

Key Takeaways: Keep track of coverage, understand if your comprehensive controls interact with each other, understand the context of your environment, and know whether your controls are continuously getting better or worse.

Recorded Appearances

Cloud Security Alliance’s Cloud Threats and Vulnerabilities Summit, as “How to CISO in the Cloud”

Andy Ellis – What Are the Metrics that Matter in AppSec? from Techstrong.TV on Vimeo.

Same talk, with a focus on AppSec metrics, for TechStrong Live AppSec/API Security conference.

Original Talk, as given at RSAC 2022, multiple Evanta conferences

Slide Decks

RFP Contents

Session Title

How to CISO in the Cloud

Four Dimensions of Building a Security Program

Session Detail

(< 2,500 characters, including spaces.)

The challenge of building a security program in the cloud is that there are too many things you could be doing, and that creates a challenge for security leaders to decide on which things they should do next.  Every organization is different, but there are commonalities in the cloud that all can benefit from

All too often companies pivot from fighting one fire to another fire. They end up cobbling together a security program with duct tape, bailing wire, and a handful of solutions implemented as a reaction to our own incidents and major headlines about other companies’ breaches.  How should a CISO evaluate building their security program?

In this talk, I will be exploring a mental model that CISOs can use – that I used in my 20 years as a CISO – to evaluate the state of their security program, and to identify where there are gaps in coverage.  At a high level, the framework is four dimensional, covering width (asset coverage), height (control comprehensiveness), depth (risk context), and time (maturity continuity).  I will use case studies to highlight ways the security programs often fail on one of these axes, as a means for participants to connect the programs they work on to the shortcomings others have already experienced.

Most ways to evaluate a security program become frameworks with an overly strong focus on detail, but which lose the holistic view of the health of a security program, and even the “known unknowns” (we’re pretty sure there is a risk, but don’t have specifics) become forgotten as the focus narrows to the “known knowns” (we’ve documented the risk).  The “unknown unknowns,” of course, almost never get visibility.


(Limit 400 characters, including spaces.) 

How do you know what to invest in next, or whether the time and energy that you’re spending on a security technology or program is a good investment?  Learn how veteran CSOs think about security investments, and develop your own rubric for evaluating where to best make your next security improvement.

Quick Abstract

(Limit 200 characters, including spaces.) 

How do you know that the time/energy that you spend on a security technology or program is a good investment?  Learn to develop a rubric for evaluating how to best make your next security improvement.