English | EN 
Not long ago, I spoke with an IT Manager. A smart person with years of experience in IT and responsible for many successful projects within his company.
Proudly, he explained that because of that success, the board had also made him ultimately responsible for information security.
He opened his laptop and showed me his roadmap for the coming months:
- Pentest on the infrastructure
- Setting up a SOC
- Improving Incident Response
- Implementing Vulnerability Management
What he presented was the approach for four isolated projects.
Not connected.
No sequence.
Lacking vision.
And, as in so many organizations, all placed entirely on the IT department’s plate.
So I asked:
“Have you examined how these components influence each other, and in what order they actually make sense?”
He looked at me, and you could see the realization drop.
What structurally goes wrong
Many organizations implement security functionalities as standalone projects.
They pick a framework (ISO27001, NIST, CIS Controls, etc.) and start “implementing” every chapter as if these are independent elements without coherence, and without any alignment with the business.
Security becomes a technical issue, solved by technical people with technical tools.
But that’s not how it works.
Security only works when you design it as one ecosystem. One that collaborates with existing processes and is aligned with business operations.
And yes, saying “security” is easy.
But that word alone means nothing.
Because the real topic is information security.
The asset we protect is information.
Information with meaning and business value.
Technology should support business business needs, never dictate them.
That changes the entire picture.
This IT Manager had outlined four separate projects, all from a technical perspective.
He also mentioned that access management, encryption, and data classification were on his planning after these implementations.
If these security functions are your starting point, this is how they relate:
1. Pentesting the infrastructure: this is done last
A pentest sounds exciting:
“Can you get in? How far can you go?”
But without a foundation, the outcome is predictable.
❌ No Vulnerability Management → meaningless pentest
Without patching, without fixing vulnerabilities, and with years of technical debt, the result is guaranteed:
The pentester gets in.
Easily.
Quickly.
Obviously.
Not because they’re brilliant, but because the front door is wide open.
❌ No SOC/SIEM → you see nothing
A pentest should validate whether you can:
- detect attacks
- understand attacker behavior
- respond in time
But without detection capabilities, you see:
→ absolutely nothing.
You learn nothing.
You measure nothing
The test becomes meaningless, while still costing a lot of money.
2. SOC: you must see first
A SOC (with a SIEM behind it) provides insight into:
- suspicious activities
- abnormal behavior
- user errors
- impossible login attempts
- suspicious network patterns
And yes: most incidents originate from human mistakes, not hackers.
But a SOC only works when it understands what matters to the business.
Detection without business context is just noise.
3. Incident Response (IR): someone must act
A SOC detects.
IR resolves.
Incident Response means:
- stopping threats
- minimizing damage
- restoring systems
- communicating with the business
- implementing structural fixes (not band-aids)
A SOC without IR is a smoke detector without firefighters.
4. Vulnerability Management (VM): the foundation
This is the project you start with, alongside other hardening activities.
Not very exciting… but absolutely essential.
VM ensures that you:
- know where vulnerabilities (and thus risks) are
- fix them
- reduce technical debt
- keep systems healthy
- understand where weak points reside
Without VM, everything above it collapses.
But one crucial project was missing
You can only set priorities when you know which systems truly matter to the business.
None of the four functions above provide that.
You get this through:
- business impact analyses
- risk assessments (likelihood of impact materializing)
- information & data classification
- classification of processes and services
Without business context, you cannot determine what is important, or what must come first.
Why this matters for business operations
Security without cohesion delivers no value.
In fact, it creates:
- wrong priorities
- noise
- no risk reduction
- false security
- and an IT Manager who believes security is purely IT
But security must be aligned with:
- continuity of services
- productivity
- reputation
- compliance
- and process & information flows.
The order in which these security functions add value
Vulnerability Management (hygiene) → SOC (visibility) → Incident Response (action) → Pentest (validation)
When separated, these functions lead to:
- duplicated work
- wrong decisions
- missed risks
- poor investments
- frustration
And without business alignment, it mainly leads to:
➡️ a false sense of security
Conclusion
When implementing information security the question is not:
“Which security functions do we still need to implement?”
The real question is:
“How do we build an integrated, business-aligned security ecosystem that delivers real value?”