What are some lessons and thoughts on how to start up a information security program with just one person (ISM) with no plans or budget for additional staff?
Sort by:
I would start with policy. Policy is a security enabler, because if there are not policies for or against certain practices it will be very hard to get cooperation when trying to increase security.
My next step would be inventory of both physical assets and data assets. If you don't know what you have or where it is you have to treat everything as though it is potentially critical.
Once you have policy and an inventory you can start looking at risks and threat modeling. Using the threat model you can then start deciding where to put efforts and making a case for increasing your capabilities through staffing and targeted spending.
To be honest the only suggestion I have is the most obvious one; Evaluate the risks and cost of each risk, discuss this with management to either accept the risk or increase the budget. Prioritize your program based on risk and budget and start with most urgent risk mitigation or low hanging fruit.
I appreciate the comments. To add on that, how would I calculate and do you advise the need for staff aug through a external vendor SaaS solution?
Taking a risk based approach, start with a risk assessment, create essential security policies, and develop streamlined incident response plans. Automate routine security tasks where possible, and build a strong security culture by promoting awareness and involving staff as allies in maintaining security practices.Adopting a framework such as NIST or CIS Controls to structure incremental improvements, and consistently communicate progress to management to demonstrate value and advocate for future resources.