I’ve noticed some confusion around the objectives of security teams and I’d like to share my perspective, hoping to clarify matters. Please note that these are just my opinions based on my experiences as a security persona across various organizations.

What is the goal of a security program?

It depends.

In general, the final - ultimate - goal of a mature security program is to ensure business continuity in the face of security events. This involves maintaining the safety, resilience, and trustworthiness of the business, its assets, and its operations with customers and stakeholders.

Now, the thing with security is that the goal is allegedly met until proven wrong so there is little incentive to invest in building a security program proactively.

Typically, companies start investing in security under duress due to one of the following triggers:

• The company becomes subject to compliance requirements TO SELL
  • like when customers require security management certifications (e.g., ISO 270001, SOC2).
• The company becomes subject to compliance requirements TO HANDLE DATA
  • market specific requirements, like privacy laws dictating how to handle sensitive data (GDPR, Healthcare data), handling of credit card data (PCI-DSS), etc
• The company experiences a security incident
  • “our production database is shared on 4chan!”

Following one of such events, a security program is initiated, with its goals limited by the nature of the triggering event.

Initially, on the staffing side one or two individual contributors (ICs) may take on security responsibilities. Over time, this evolves into a multi disciplinary team holding the fort, eventually growing into a comprehensive organization with various specialized teams covering all aspects of security.

It’s useful to view this evolution through the lens of a maturity model, to identify the current stage of a security program and its goals.

At the highest level of maturity, a program’s goals align closely with the vision of ensuring business continuity during security events. This includes maintaining trust with customers and stakeholders, securing data and assets, and enhancing resilience. Large enterprises typically operate at this level.

However, less mature programs are resource constrained and as such will focus narrowly on immediate issues:

• Compliance-driven programs might aim primarily to build trust (compliance to sell) or secure sensitive data (compliance to handle data), prompted by customer demands or regulatory requirements (e.g., GDPR, PCI-DSS).
• Programs initiated by a security incident will focus on developing resilience.

So over time, all security programs will end up caring ~ about everything, but when they start they will be focusing on a specific area, maybe two.

I think that having a model of prospective customer’s security programs will give insights into their specific needs and help with value propositions, since all those focus areas are broad “jobs to be done” categories for their target personas.

This is also useful when thinking about targeting: as a buyer of security tools I experienced being mis-targeted by vendors and I reckon we were a terrible customer for the majority of those who were targeting their products mostly to companies that were in need to be compliant to sell (the biggest demographic of security customers) when we weren’t.