Chapter Fourteen · The Bigger Picture

Governance, Risk, and the Bigger Picture

Priya has controls, detections, and a survived incident — but a pile of controls isn't a security program. This closing chapter zooms out: the frameworks that organize it all, the compliance and legal rules that constrain it, how to run security as an ongoing program, and where you go next. It closes the book's arc back at Chapter 1's risk framing.

5 topics

Thirteen chapters of controls, detections, and responses are not yet a security program. A program is what makes them durable: an owner accountable for risk, a framework that says whether you have covered everything and in what order, the compliance and legal rules that constrain it, a culture that keeps controls alive between audits, and metrics that show it working. This closing chapter is the operating model that ties the whole book together.

Five topics: security frameworks, compliance and regulation, running security as a program, building a security career, and where to go next. The arc closes where it began — at Chapter 1's "security is risk management" — now operating at the level of a whole organization and a whole career.

From a pile of controls to a security program
1
Structure
NIST CSF · CIS · ISO 27001
2
Constrain
GDPR · PCI-DSS
3
Operate
ownership · culture · metrics
4
Grow
career · what's next

Topics in This Chapter