As we built securityprogram.io, our team put a lot of thought into how to build and run a security program in general. We had done it for a few customers on a consulting basis. We had assembled common artifacts we like to use. We had some foundational concepts that seemed to be important (eg. aligning to a standard).
Aligned to our overall mission, we wanted this information to be much more accessible. We also wanted the contents to transcend our system or any particular security standard - and be rooted in common sense, pragmatic security.
Building A Security Program aims to be a simple and yet complete guide to building a security program. We think that it has valuable information for everyone from Founders to CTO's to Security Analysts and Consultants looking to broaden their security sphere and take on more leadership responsibility. It probably isn't a great read for an existing CISO. The book de-emphasizes cutting edge technology and products. It is not presenting new security information based on new data. It is capturing what we believe are tried and true basics based on our team's collective experience.
We are publishing the book through leanpub. That means it is a work in progress that gets updates over time.