Priya has controls, detections, and a survived incident — but a pile of controls isn't a security program. This closing chapter zooms out: the frameworks that organize it all, the compliance and legal rules that constrain it, how to run security as an ongoing program, and where you go next. It closes the book's arc back at Chapter 1's risk framing.
5 topics
Thirteen chapters of controls, detections, and responses are not yet a security program. A program is what makes them durable: an owner accountable for risk, a framework that says whether you have covered everything and in what order, the compliance and legal rules that constrain it, a culture that keeps controls alive between audits, and metrics that show it working. This closing chapter is the operating model that ties the whole book together.
Five topics: security frameworks, compliance and regulation, running security as a program, building a security career, and where to go next. The arc closes where it began — at Chapter 1's "security is risk management" — now operating at the level of a whole organization and a whole career.