5 Year Security Roadmap

The goal is to keep evolving our security practice. We start with a current state architecture and focus on an end state architecture. We spin out projects and then execute on the projects.

Below is an example chart about starting to get you to think about how to create a 5 year plan. A 5 year plan helps us avoid myopia and focus on the long term.


Year 1

Training the team, making the developers aware of secure coding practises, up skilling the security analysts, making the team aware of best practices such as SANS/CIS/OWASP etc.

Year 2

Security is about lifecycle and not point solutions or project based work, a life cycle means the process is forever. It forces us to keep our focus on security.

Year 3

When we have been up skilled and we have new processes we can start to introduce new technologies that will help us such as web application technologies and intrusion detection technologies.

Year 4

Now we are a bit more mature and we can put processes in place so that we can become standards compliance. To achieve ISO 27K means that we need to have certain prerequisites in our business.

Year 5

We’ve done a lot of work. Now it’s time to preempt threats to our IT environment by using all the things we’ve learned in the past four years.