The Core Argument
Of the four pillars in the Security Operating Model, Minimum Viable Security is the most critical. It is also the most opinionated, and that is intentional.
MVS makes a direct claim: any business can maintain security life-support if it invests in these fundamentals. Before frameworks, before risk quantification, before compliance programs — nail these basics. Everything else in the operating model builds on this foundation.
MVS is hyper-focused by design. You will notice that many things you might expect to see here — application security testing, incident response playbooks, data classification, security awareness training — are absent. That is intentional. The rest of the Security Operating Model addresses those capabilities. MVS is the subset that cannot wait.
While other security work can be parallelized with MVS, MVS should always be the priority until it is fully implemented.
The Goal of MVS
MVS exists to get the business out of immediate and emergent harm. It is not a maturity model. It is not a comprehensive security program. It is the minimum set of controls that buys the organization breathing room — enough to stop the most common and most damaging attack patterns while the rest of the security program is being built.
The target state for MVS is simple: reduce the probability of a catastrophic security event to a level where the organization has time and stability to invest in longer-term improvements. Once MVS is solid, you have earned the space to adopt a framework, build a risk program, and address compliance obligations without doing so under crisis conditions.
Assumptions
Technical capability exists. The organization has access to people who can implement these controls — whether internal staff, managed service providers, or consultants.
Funding is available. Budget exists to acquire commercial tools where needed. MVS does not require enterprise-scale spending, but it does require investment.
Leadership is supportive. Executives set the tone from the top. Without leadership backing, even basic security controls face adoption resistance.
If any of these assumptions are false, fix that first. MVS cannot succeed in an organization that lacks the technical talent, budget, or executive support to implement it.
Three Swim Lanes
MVS is organized into three categories. Each contains a prioritized set of controls. Items marked with a star (★) should be implemented first — they represent the highest-impact, lowest-regret investments in the set.
Identity
Identity is where most breaches start and where most damage is done. If attackers can impersonate your users or abuse forgotten accounts, no amount of perimeter defense will save you.
★ SSO and MFA
Not using multi-factor authentication for human users is a dereliction of duty. Full stop. Implementing single sign-on ensures you can reliably provision and deprovision access as people join and leave the organization. SSO also gives you a centralized control point for enforcing MFA, session policies, and conditional access.
Access Reviews
That service account IT created last year for the new integration Finance was testing? Nobody remembers it exists. Non-human identities — service accounts, API keys, machine credentials — accumulate silently and represent real exposure. Human access drifts too: people change roles and accumulate permissions they no longer need. Review both at a reasonable cadence.
Least Privilege
When that forgotten service account is eventually compromised, the blast radius is determined entirely by what it has access to. If it has write access to sensitive systems or can read your finance team’s shared files, you have a material problem. Enforce least privilege for both human and non-human identities. Grant the minimum access required, and revisit it regularly.
Protection
These controls work together: defense and communications security reduce inbound threats, monitoring watches for what gets through, backups ensure you can recover when prevention fails, and logs preserve the evidence to understand what happened.
★ Endpoint Defense
Without endpoint protection, the probability of ransomware or an attacker establishing an initial foothold is unacceptably high. Prioritize deployment to human user systems (laptops, workstations) and anything that touches the internet (web servers, edge infrastructure). Deal with the rest of the environment after those are covered.
★ Communications Security
Your communications platforms — email, messaging (Teams, Slack), and collaboration tools — are the primary delivery mechanism for phishing, social engineering, and malware. Basic protections at the platform level are foundational: anti-phishing, anti-malware, attachment and link scanning, and impersonation protection. This is separate from security awareness training, which lives outside MVS. The control here is technical: reduce the volume of malicious content that reaches your people in the first place, regardless of which platform it arrives on.
★ Backups and Recovery
Tested, isolated backups are a survival control. When ransomware encrypts your environment or a destructive attack wipes systems, backups are the difference between a recovery measured in days and one that may not be possible at all. Backups must be tested regularly — an untested backup is not a backup. They must be stored in a location that an attacker with administrative access to your production network cannot reach. And they must cover the systems and data the business needs to operate. This is not a data archival exercise — it is a business continuity control.
Monitoring
Endpoint defense and communications security generate telemetry. Are you watching it? If not, you are paying for detection capabilities and ignoring their output. Even basic monitoring — alerting on critical detections, reviewing weekly summaries — gives you visibility into what is happening in your environment and helps you understand your real risk exposure.
Logs
Things will go wrong. When they do, logs are the only thing that gives you a chance of understanding what happened, how it happened, and how far the impact spread. At minimum, collect authentication logs, endpoint detection logs, and access logs for critical systems. Store them centrally, separate from the systems generating them. Retain them long enough to be useful — if you only keep 7 days of logs, you will not have the data you need when an incident is discovered weeks after initial compromise.
Systems and Software
Unpatched, unsupported, and misconfigured systems are the low-hanging fruit that attackers exploit first. This swim lane is about reducing the attack surface that your infrastructure presents.
★ End-of-Life and End-of-Support (EOL/EOS)
You cannot patch software that the vendor has stopped maintaining. You cannot get security fixes for operating systems that are no longer supported. Keeping systems on currently supported versions is a prerequisite for everything else in this category. If you are running EOL software in production, that is your first priority.
★ Patching to SLA
Define patching SLAs if you do not already have them. Hold teams accountable for meeting them — especially for human endpoints and public-facing systems. This is a battle that never ends, so build it as a long-term operational capability, not a one-time project. Track compliance rates and report on them. Backsliding is inevitable without visibility.
Secure Configurations
Disable default services that are not needed. Remove local administrator rights from users who do not require them. Turn off unnecessary network services. Harden system configurations to reduce the number of things an attacker can exploit if they gain access. The principle is simple: if your software or system does not use it, disable it.
Prioritization Logic
Do first (★ items): SSO/MFA, Endpoint Defense, Communications Security, Backups and Recovery, EOL/EOS remediation, Patching to SLA. These address the most common and most damaging attack patterns and buy the organization the breathing room it needs.
Do next: Access Reviews, Monitoring, Logs, Least Privilege, Secure Configurations. These build operational maturity on top of the foundational controls and give you the visibility needed to understand your real posture.
Each of these categories can serve as an annual improvement priority, with targets to track progress over time and key performance indicators to detect backsliding.
What Is Deliberately Missing
MVS does not cover application security, incident response, data loss prevention, security awareness training, vulnerability management programs, threat intelligence, network segmentation, or dozens of other capabilities that a mature security program requires. That is the point.
The Evidence-Based Framework pillar provides the growth roadmap for those capabilities. Enterprise Risk Management determines which of them get prioritized. External Governance may mandate specific ones. MVS is the foundation — the work that gets you out of immediate danger and gives you the stability to build the rest.
MVS is the first pillar of the Security Operating Model. Need help assessing where your organization stands on these fundamentals? Contact us.