Starting a Security Program from Scratch
What are the essential tools?
Over the past few weeks I have had the rare opportunity to meet with investment and finance folks as questions around AI and the acquisition of Wiz continue to dominate conversations. While we got into product features across multiple products and platforms, debated the future of some of the smaller cloud providers, and more. One question stuck with me from one of the participants: if an organization was building a security program from the ground up, what does one need. Of course a security program isn’t just about installing tools—it’s a holistic approach that encompasses policies, people, and technology, but when it comes to true protective and detective controls, tools are where it starts. I assembled an answer on the fly but after some thought I stood by my response. What else do you see as an essential first step in building a new security program?
Let’s characterize a modern security organization with the following basic characteristics:
Significant SaaS usage
Hybrid office and/or global set up
Cloud native hosted applications
Plus, today’s users are more tech savvy and have a lower tolerance on security as an obstacle to productivity so security must be targeted, reliable and frankly, matter. Towards that end, the main technologies if I were setting up a new organization would be to prioritize Multi-Factor Authentication (MFA), Cloud-Native Application Protection Platforms (CNAPP), Mobile Device Management (MDM), and Endpoint Detection and Response (EDR).
Multi-Factor Authentication (MFA): Prevents unauthorized access by requiring users to verify their identity using multiple authentication factors.
Cloud-Native Application Protection Platforms (CNAPP): Secures cloud workloads, applications, and infrastructure.
Mobile Device Management (MDM): Ensures secure access to enterprise data from mobile devices.
Endpoint Detection and Response (EDR): Detects and mitigates threats at the endpoint level.
Let’s explore why these technologies are non-negotiable for modern organizations.
Multi-Factor Authentication (MFA): The First Line of Defense
In an era of credential-based attacks, passwords alone are no longer sufficient. MFA adds an extra layer of security by requiring users to provide two or more verification factors before gaining access to systems and applications.
Why MFA Matters:
Prevents brute force and phishing attacks
Reduces the risk of credential stuffing
Meets compliance requirements for various regulations
In a world where identity is the new perimeter, strong IAM controls require MFA
Modern MFA solutions include biometrics, hardware tokens, and adaptive authentication to enhance security further. Implementing MFA across all user accounts should be a top priority for any security program.
Cloud-Native Application Protection Platforms (CNAPP): Securing the Cloud
With the increasing adoption of cloud services, organizations must protect their cloud workloads from misconfigurations, vulnerabilities, and external threats. CNAPP provides a unified approach to securing applications in cloud environments.
Why CNAPP Matters:
Provides visibility into cloud assets and risks
Detects misconfigurations and enforces security best practices
Helps organizations comply with cloud security frameworks (CIS Benchmarks, NIST CSF)
By integrating CNAPP, cloud applications remain secure from development to deployment and today’s CNAPP tools provide more insight out of the box than - admittedly - many tenured engineers can provide.
Mobile Device Management (MDM): Controlling Access to Enterprise Data
As remote work becomes the norm, managing and securing mobile devices is critical. MDM solutions enable IT teams to enforce security policies - including browser and application policies, control device access, and remotely wipe corporate data if needed.
Why MDM Matters:
Protects company data on employee-owned and corporate devices
Enforces encryption and secure access controls
Enables remote management and incident response
Organizations should ensure that all mobile devices accessing corporate networks comply with security policies through an MDM solution. MDM can come in two stages: inventory, basic account locks and remote wiping when needed. Then as the organization evolves, MDM can provide another layer of security for browser based and application based attacks.
Endpoint Detection and Response (EDR): Stopping Threats at the Endpoint
EDR is now tablestakes. Period. Endpoints such as laptops, desktops, and servers remain prime targets for cybercriminals. EDR solutions monitor and analyze endpoint activity to detect suspicious behavior, block threats, and provide forensic analysis capabilities.
Why EDR Matters:
Identifies and mitigates advanced threats in real-time
Provides threat intelligence for proactive defense
Enhances incident response and reduces dwell time
Implementing EDR ensures that your organization can swiftly respond to and neutralize cyber threats before they cause significant damage. Not to mention, many EDR (and XDR) also provide host based
Why these 4? Because…
1) MFA is one of the strongest protection tools available in the cybersecurity toolbox
2) EDR, CNAPP and MDM are the strongest detective (and even response) tools available in the cybersecurity toolbox.
By implementing the strongest solution from the get-go, additional controls provide more visibility and observability thus multiplying the efficacy of a security program but other tools cannot match the security that MFA, CNAPP, MDM and EDR can offer for a modern organization.
A security program is not a one-time project—it’s an ongoing commitment to safeguarding an organization’s digital assets. By prioritizing MFA, CNAPP, MDM, and EDR, organizations can build a strong foundation for security while staying resilient against evolving threats.
Culture.
Culture is the set of tendons that connect People with Policy (& Process) and those with Technology.
Our failure to make progress these past 20-30-odd years is in great part a failure of culture.
"... today’s users are more tech savvy and have a lower tolerance on security as an obstacle to productivity...' <--- that's a cultural problem. it is ignorance, arrogance, and knowing just enough to be dangerous but not enough to have discretion.
Having done just that over the last 18 months and grown a security team from zero to over 60 people, your choices are sound.
I’d add that in order to extract signal and enable actionable intelligence you also need:
1) A SEIM/SOAR/whatever you want to call it
2) Some manner of vulnerability management / patching platform for endpoints and tie to cloud
3) some form of SASE capability for app visibility/control and threat mitigation including ZTNA capabilities for secure access from endpoints
4) some form of Identity management/IGA/entitlement management - likely tied to your IdP that enables conditional access and policy enforcement connected to MDM and hopefully tied to enabling Privileged Access Management
Add that to yours and I think you’re cooking with gas…