Exercises: Building a Complete Security Program
These exercises are the capstone. They build the four-milestone deliverable — Assemble the program, Prioritize the roadmap, Build the business case, Deliver the board presentation — that this chapter describes. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis/synthesis), and ⭐⭐⭐ (open-ended/leadership judgment). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before reading one.
Because this is a synthesis chapter, most exercises reference work from earlier chapters. Keep your
Meridian capstone folder (the running program document and risk register) and your bluekit package
nearby — you assembled the raw material across thirty-seven chapters, and now you put it together.
Part A — From components to a program ⭐
1.† In two sentences, explain the difference between a pile of security artifacts and a security program. Name the three properties (from §38.1) that turn one into the other.
2. Match each artifact to the CSF function it belongs under (Govern / Identify / Protect / Detect / Respond / Recover): (a) the risk-appetite statement; (b) the SIEM correlation rules; (c) the phishing-resistant MFA standard; (d) the ransomware tabletop; (e) the asset inventory; (f) forensics readiness; (g) the compliance crosswalk; (h) network segmentation.
3. Write Meridian's security strategy in a single sentence. It must rule something in and rule something out. Then name one roadmap decision your sentence would settle.
4.† A new CISO says: "We have every control in this book, so we have a great security program." Explain why this does not follow, using the §38.1 threshold concept.
5. Explain what it means for risk to be "the spine" of a program. When a director questions a single roadmap item, what form must the justification take?
Part B — Milestone 1: Assemble the program ⭐⭐
6.† Produce your own program-on-a-page (your version of Figure 38.1) for Meridian: list at least twelve components, each under its correct CSF function, with the chapter that built it. You may compress, but every CSF function must appear.
7. For three components of your choice from Exercise 6, write the one-line "connection" statement that makes the program coherent — i.e., how each connects to a neighbor (e.g., "PAM (Ch.19) limits what a compromised account from a phishing click (Ch.16 gap) can reach, before segmentation (Ch.6–7) contains it"). Coherence is the point of assembly.
8.† The Protect layer holds the most components. Explain why, naming the recurring theme it reflects, and trace how the original phishing attack (Ch.1) is now met by at least five independent Protect-layer controls, naming the chapter for each.
9. Audit your assembled program for balance using the Chapter 3 control taxonomy: count roughly how many of your components are preventive vs. detective vs. corrective. A program heavy on prevention and light on detection has a known weakness — what is it, and which theme warns against it?
10. ⭐⭐⭐ Take the program you assembled and find the single biggest gap — a CSF function or risk area that your Meridian build left thin. Defend your choice, and state where on the roadmap closing it should fall.
Part C — Milestone 2: Prioritize the roadmap ⭐⭐
11.† You have these five candidate initiatives (risk reduced and cost are illustrative). Compute the risk-reduction-per-cost ratio for each, then propose a phase (1, 2, or 3) for each, justifying any case where the phase does not match the ratio ranking.
| Initiative | Risk reduced/yr | Cost | Dependency |
|---|---|---|---|
| (a) MFA bank-wide | $2.0M | $150K | none | |
| (b) CDE segmentation | $1.4M | $200K | network refresh; PCI obligation | |
| (c) 24×7 SOC | $1.8M | $1.5M | mature SIEM | |
| (d) Disable orphaned accounts | $0.9M | $40K | none | |
| (e) Zero-trust migration | $2.4M | $4.0M | identity + segmentation done |
12. Explain, with a concrete pair of initiatives, why "always do the highest-risk item next" can leave a program having spent its whole budget while reducing little total risk.
13.† Name the two things that can legitimately override the risk-per-cost ranking when sequencing a roadmap. Give one Meridian example of each.
14. Build a dependency graph (in words or a simple diagram) for four roadmap items: zero trust, network segmentation, identity governance (IGA), and access-review automation. Which items block which, and how does that shape the phasing?
15. Your roadmap's Phase 1 is labeled "Stop the bleeding." Choose four items for Meridian's Phase 1 and justify why each belongs there (high ratio, no dependency, or obligation), referencing the chapters that built them.
16. ⭐⭐⭐ A board member asks: "Why is the zero-trust migration in Year 2 and not now? Isn't zero trust the gold standard?" Write a three-to-four-sentence answer that defends the sequencing without disparaging zero trust — using risk-per-cost, dependencies, and the strategy.
Part D — Milestone 3: Build the business case ⭐⭐–⭐⭐⭐
17.† Using Chapter 27's method, the top three untreated Meridian risks have these parameters. Compute each ALE (SLE × ARO) and the total "cost of doing nothing."
| Risk | SLE (per event) | ARO (events/yr) |
|---|---|---|
| Credential compromise → account takeover | $3.0M | 0.8 |
| Lateral movement via over-privileged account | $2.5M | 0.6 |
| CDE breach (cardholder data) | $5.0M | 0.4 |
18. Name the four parts of a security business case (§38.4) and write one sentence of Meridian content for each.
19.† The Phase 1–2 investment is ~$1.7M and is projected to reduce annualized risk from the Exercise-17 total to ~$0.9M. State the business case in one sentence in the board's language (investment, risk removed, residual). Then explain why this framing outperforms "we could get breached."
20. Rewrite each fear-based or tool-based justification into risk-and-dollars language a board funds: (a) "We really need next-gen EDR with behavioral detection." (b) "If we don't fix this we could be the next big breach in the news." (c) "Our SIEM is old and we should upgrade it."
21. ⭐⭐⭐ Integrity check. Your manager suggests rounding the $6M annual-risk figure up to "about $10M — it'll get us the budget." Write your response, and explain (referencing the chapter's ethics note) why inflating the number is both wrong and, over more than one budget cycle, ineffective.
22. A director challenges: "Where does the $6M come from?" Write the two-to-three-sentence answer that demonstrates the number is traceable, naming the method and the inputs.
Part E — Milestone 4: Deliver the board presentation ⭐⭐–⭐⭐⭐
23.† A board cares about four things (§38.5). List them, and for each name the deck slide (from Figure 38.3) that primarily answers it.
24. Put these eight deck elements in the correct order and explain why the ask comes where it does: metrics; the gap; the risk story; the decision; what we've built; the roadmap; the ask; the business case.
25.† Own the gap. Write the "What's left" slide (slide 4) for Meridian: name two risks still above appetite, in plain language, with one sentence each on the plan to close them. Then explain why presenting weakness builds board confidence.
26. Rewrite this opening line so it leads with the ask: "Over the past eighteen months the security team has deployed EDR across the fleet, tuned forty SIEM rules, run two tabletops, and rolled out MFA, and we'd like to discuss increasing the security budget." Make it a single sentence a board reads first.
27. Identify everything wrong with putting this slide in a board deck, and say what should replace it: "Top SIEM detections this quarter: 1,284 brute-force alerts, 412 suspicious-PowerShell alerts, 88 DNS-tunneling candidates; mean alerts/analyst/day: 230; rule false-positive rate down 14%."
28. ⭐⭐⭐ Tabletop the boardroom. Write a short script (8–10 lines) of a board Q&A in which a skeptical director presses on cost ("this is a lot of money") and you respond using loss-avoided framing, the residual-risk honesty, and a restated ask. Stay in the board's language throughout.
Part F — Respond to this / design it ⭐⭐
29.† Respond to this scenario. Two weeks before the board meeting, a peer regional bank suffers a ransomware breach that makes national news. The board chair emails Dana: "Are we exposed to this?" Using the assembled program, draft a five-to-seven-sentence reply that (a) answers honestly, (b) maps the threat to the specific controls already in place (🔗 Chapters 24, 16, 6–7, 25), (c) names the residual gap, and (d) ties it to the pending roadmap ask — without inducing panic.
30. Design it. Sketch the reconciliation required when the three capstone tracks disagree on Phase 1: the Engineer wants to sequence by dependency, the GRC by risk-per-cost, and the SOC by detection gap. Propose a Phase 1 that respects all three views and explain the tradeoff you made.
31. Design the metrics slide. Choose the three-to-five board-level KRIs for Meridian's slide 7, state a target for each, and explain in one line why each tells the board whether risk is trending toward or away from appetite (🔗 Chapter 36).
Part G — CTF-style challenge ⭐⭐⭐
32.† The incoherent program. A consultant hands Meridian's board this "program summary": a flat, unordered list of 26 purchased tools, no risk register, no roadmap, no costs, and a closing slide reading "Recommendation: increase security spend by 20%." The board funds nothing and asks for "a real plan." Diagnose every way this artifact fails the §38.7 rubric (coherence, traceability, prioritization, business framing, honesty, the ask, audience fit), then outline — in one page — what you would deliver instead, milestone by milestone.
Part H — Interleaved & integrative ⭐⭐
33. Interleaved (Ch.2, 21, 22, 24). The SOC track must show the program would detect a SolarWinds-style intrusion. Sketch, in five steps, the detection-and-response path the assembled program provides — from the threat model (who/why) through detection coverage to containment — naming the chapter behind each step.
34. Interleaved (Ch.3, 6–7, 16–20, 32). The Engineer track must defend why zero trust cannot start until identity and segmentation foundations exist. Name three specific prerequisites zero trust depends on and the chapter each comes from, and state what would break if you skipped them.
35. Interleaved (Ch.26, 27, 28, 36). The GRC track must defend a budget to an examiner, not just a board. Name two things an examiner wants that a board may not (🔗 Chapter 28's audit/evidence world), and explain how the assembled program supplies them.
36. ⭐⭐⭐ Synthesis essay. In one page, trace Meridian's full arc from the Chapter 1 near-miss to the Chapter 38 board presentation: what posture it started in, the key components added along the way, and what "managed program" means that "pile of controls" did not. Use at least eight chapter references and at least three of the book's five recurring themes.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems — especially the ⭐⭐⭐ leadership-judgment items — are deliberately open; bring them to a study group, an instructor, or, if you can, a working security leader, because the boardroom has no single right answer, only defensible ones.