Design Thinking on Designing Security Services

Security teams come in different structures, sizes and cultures, just like security services.

Often there is a temptation to design security team in silo and go through the full "wish list", such as security architecture and design, security consulting and advisory, security engineering, red team, pentest, threat hunting etc.

Even with a large budget, competent people and management support, to set up for success, it is vital to design the security team and its services from stakeholder perspectives - design thinking.

Here is how to apply design thinking to design or improve security services.

Design Thinking.jpg
  1. Start with the analysis following 4 environmental elements, i.e., general threat landscape and the one specific for the industry; company business strategy; company security maturity; existing security capabilities;
  2. Interview relevant stakeholders to gain a thorough understanding of security challenges;
  3. Clearly articulate the challenges and verify the with stakeholders;
  4. Brainstorm/whiteboard security team setup and security services that are required to address the challenges considering analysis from step 1;
  5. Prepare (a subset of) required people, processes, tools as the prototypes;
  6. Run the prototype tests with stakeholders, improve, fail or promote prototypes.