Over the last twelve years, working with multiple organizations in various verticals, I noticed that many organizations were performing digital security off the side of their desk and had little to no formalization of their digital security programs. It's not that they were not already doing a bunch of good things, it was more that they were not sure they were undertaking all the items they should, and they had nothing documented that would allow them to demonstrate that they even had a formalized digital security program.
Over time, I built a collection of documents that would lay the foundation for a digital security program. The collection of artifacts grew significantly over time as numerous organizations hired me to help them formalize their digital security programs. One specific higher learning institution, through an independent external rating organization, went from an obscure core ranking to 3rd in the country when compared against their peers.
This collection of documents includes a Digital Security Policy, a series of Digital Security Standards, Procedures, Baselines, and Guidelines. Put together, this group of documents forms the foundation for a more formalized digital security program that could benefit any organization. There are also several other supporting documents including a simplified Risk Management mechanism and a process to help organizations evaluate potential cloud vendors.
In a “let me show you what I’ve been working on” moment, I presented the “system” I had built over more than a decade to a fellow CISO. That presentation, which usually takes me about a half-hour, was squeezed into about 10 minutes. A few days later they asked me if I would be willing to license the material to help them shortcut the process of formalizing a digital security program. This was the beginning of the Digital Security Foundations package available today.