Applying security programs – Top-down VS Bottom-up approach

Security professionals dealing with security programs or projects have usually 2 options: get management support and drill down, or get support from the techies and pull yourself up. As each method has its pros and cons, this article will provide some insights on dealing with each approach.

When possible try to obtain management support and apply the top-down approach. You will have the budget, increased efficiency and on the long term are most likely more effective. However, you are in the need of create people supporting you with your project(s), as plans don’t execute themselves. While this does also apply when using the opposite bottom-up approach, you have at least found already the smart technical people who are convinced that the security posture of the company needs to be improved.

Before choosing the approach, it’s useful to know what the company culture is, what industry you are and the risks involved. Creating a fort Knox for your local bakery does not make sense, so think about these factors before implementing new security controls.

Top-down

  • Management support
  • Usually budget available
  • A strategy is available or can be defined, together with the policies, a security program and the underlying execution plans
  • Manage on risks
  • Most efficient
  • More likely to obtain long term results
  • Challenges to get support on all levels (but push mechanism available as you have management support)

Bottom-up

  • Support from technical persons
  • Usually quick first results, but then suddenly hurdles to take (no budget, managers blocking progress)
  • Usually technical oriented solutions
  • Not much budget