Building a Practical Information Security Program provides users with a strategic view on how to build an information security program that aligns with business objectives. The information provided will enable both executive management and IT managers to not only validate existing security programs, but also build new business-driven security programs. In addition, the subject matter enables aspiring security engineers to forge a career path to successfully managing a security program that not only adds value to, but also reduces the risk to, the business. The book begins by resolving immediate tactical needs, transforming security needs into strategic goals, ultimately helping users put programs into operation with full lifecycle management. Readers will learn how to translate technical challenges into business requirements, understand when to go big or go home, explore in-depth defense strategies, and review tactics on when to absorb risk. Author David Guretz has built large-scale enterprise security programs that meet business objectives and succeed. As there is so much noise, marketing, and fear in the industry now that spending and deploying based on generic products and standards is often fruitless, and a costly waste of time and energy, this book shows users how to properly plan and implement an infosec program based on business strategy and results. Provides a roadmap on how to build a security program that will protect companies from intrusion Shows how to focus the security program on its essential mission and move past FUD (fear, uncertainty, and doubt) to provide business value Teaches how to build consensus with an effective business-focused program Presents readers with best practices on how to translate technical challenges into business requirements, understand when to go big or go home, how to explore in-depth defense strategies, and how to know when to absorb risk.