Understanding the Top-down cybersecurity approach


A security program is made from a lot of layers and it will operate best if a top-down approach is followed. The top layers of a security program will deal with risk, governance, and strategy, while the lower level will deal with operational tasks. There are two approaches that exist for the implementation of a security program, the top-down and bottom-up approach. The top-down method is usually driven by senior managers, it uses a risk-based approach, and it ensures that there are necessary funding and resources are available. This option has strong upper management support, and it is usually focused on funding, clear planning, and the implementation process.

A security program that is well designed, implemented, and managed should answer all the questions below:

1. Does the company treat all the cybersecurity risks as a business risk?

2. Does the security program support the business goals?

3. How important is data security within the company?

4. Does the company have basic rights? (secure systems, controlled access to data, managing virus outbreaks, and protecting the internal systems from cyber attacks, etc.)

5. Does the company know where the data is stored, who can and is accessing it, and when and how did they access it?

Now, let’s take a look at the cybersecurity layers of the top-down approach:


Risk Management

Risk Management is the task of assessing, identifying, and responding to risks, as well as knowing the outcomes to appropriate parties in a timely manner. It is the process of determining the acceptable level of risk, calculating the current risk levels, and accepting the risk levels.

Security Leadership and strategy

Security leadership and strategy is focused on the level of support the security system gets from senior business management. Support from the highest levels of the company will help create a company culture and the attitude of the employees towards information security. This layers also focuses on the metrics and measurement of the program. Creating a security culture needs an Information Security Steering Committee that will provide means of communication, debates, discussions on the security requirements.

Security Program

This level is connected to the size, structure, and reporting of the employees and teams directly supporting the security program. It also looks at their skills, experience, and qualifications.

Security Policies

This level is concerned with the standards, policies, and guidelines that have been created to describe the information security requirements.

Security Operations

According to the experts from  Blue Hat Cyber, this layer deals with the processes of everyday management, and it includes:


1. Threat management and security events

2. Investigation and solutions of security alerts and incidents

3. Vulnerability management

4. Security training and awareness

5. Third-party risk management

6. System design and development

7. Infrastructure and application security

This is connected to securing the technology that is used by the company to manage its data:


1. Networks

2. Web services

3. Operating systems

4. Databases

5. Wireless networks

6. Mobile devices

7. Security systems


As you can see, the top-down approach is quite useful to keep your systems, data, and company safe from cyber attacks and threats. It is necessary for a company to implement this method into their company in order to keep their data and assets safe. Hence, do not waste any more time, and start planning a strategy for your business.