Welcome to

Cyberatos Blog

Explore the Cyberatos blog for in-depth articles on cybersecurity best practices, emerging threats, and practical solutions to safeguard your digital assets.

‹ Back

Starting a Cybersecurity Program

Author: Cyberatos Consultants LLC.

This document provides practical guidance for CEOs/organizations on how to establish a robust cybersecurity program. A well-structured program is essential for safeguarding your company's information and the data entrusted to you by your customers.

It's crucial to understand that while every employee plays a role in cybersecurity, the initiative must be driven and supported from the highest levels of the organization. Leadership, governance, and clear communication are the cornerstones of a successful program.

Leadership: Setting the Foundation for Security

In any successful business endeavor, strong leadership is paramount – and cybersecurity is no exception.

Experience in building cybersecurity programs has shown that unwavering leadership support is the single most critical factor for success. Without buy-in and active endorsement from executive management, even the most well-intentioned security efforts are likely to falter. Leaders who prioritize cybersecurity actively engage with it within their organizations. They:

Understand their organization's most significant cybersecurity risks by identifying critical assets, potential threats, and vulnerabilities.
Have a clear understanding of the resources allocated to cybersecurity, including budget, personnel, and technology investments.
Recognize how a strong cybersecurity posture contributes to customer trust, retention, and the attraction of new business, as security is increasingly a competitive differentiator.
Ensure that cybersecurity goals and objectives are directly aligned with the overall strategic goals and objectives of the organization, enabling rather than hindering business objectives.
Lead by example by adhering to security policies and actively participating in key security initiatives, setting the tone for the entire organization.

Starting a cybersecurity program begins with a commitment from the top. If your organization's leadership is not prepared and willing to actively champion cybersecurity, then establishing an effective program that truly protects your organization and its customers will be significantly more challenging.

Effective cybersecurity leadership is built upon a clear and demonstrable commitment. This commitment should be:

Documented: Formally recorded in organizational policies and, where appropriate, reflected in marketing materials and customer agreements to build trust.
Verbally Communicated: Regularly discussed in internal communications, including company-wide meetings and departmental updates.
Demonstrated Through Action: Evidenced by tangible steps such as the formal establishment of the cybersecurity program, allocation of a dedicated cybersecurity budget, consistent enforcement of security policies, and active involvement in security-related projects.

If your organization's leadership is ready to embrace this commitment, the next crucial step is to establish governance.

Establish Governance

Your organization's leadership will not manage the day-to-day operations of the cybersecurity program. Therefore, the first step in building a successful program is to establish clear governance. This involves defining who within your organization will be responsible for specific processes and technologies.

Cybersecurity governance is the process of determining and assigning responsibilities within your organization for all aspects of information security. Begin by outlining how information will flow within the cybersecurity program, both at a strategic (long-term planning) and tactical (day-to-day operations) level.

The governance structure should clearly define roles, assigned responsibilities, accountability, and communication channels for your cybersecurity program at each level. While the specific structure may vary depending on your organization's size and complexity, key roles and bodies typically include:

Information Security Committee: This committee provides strategic direction, oversight, and ensures alignment with business goals.
CISO, ISO, CIO, etc. (Dedicated Security Leadership): This individual or team is responsible for the day-to-day management and implementation of the cybersecurity program.
All Employees, Contractors, Vendors, and Third Parties: Everyone within and interacting with the organization has a role in maintaining security.

Communication

Communication is paramount for effective cybersecurity governance. Regular and transparent communication between all these roles is essential. As research highlights, a lack of communication between security teams and company executives can lead to significant vulnerabilities. Good governance fosters good communication.

Information Security Committee

While committees can sometimes be ineffective, a well-structured and engaged Information Security Committee is vital. To ensure its success, the committee should have:

A documented charter outlining:

Purpose: The committee's reason for existence.
Scope: The areas of cybersecurity the committee oversees.
Membership: Who will participate in the committee.
Responsibilities: The specific tasks and duties of the committee.
Schedule: How often the committee will meet.
Documented meeting agendas: To ensure meetings are focused and productive.
Documented meeting minutes: To track decisions, action items, and progress.

Common responsibilities for the Information Security Committee may include:

Formulating, reviewing, and recommending cybersecurity policies.
Reviewing the effectiveness of policy implementation.
Providing clear direction and visible management support for security initiatives.
Initiating plans and programs to enhance cybersecurity awareness.
Ensuring that security activities are executed in compliance with policies.
Identifying and recommending how to address instances of non-compliance.
Approving methodologies and processes for cybersecurity.
Identifying significant emerging threats and vulnerabilities.
Assessing the adequacy and coordinating the implementation of security controls.
Promoting cybersecurity education, training, and awareness across the organization.
Evaluating information received from security monitoring processes.
Reviewing cybersecurity incident information and recommending follow-up actions.

The Committee should communicate regularly with organizational leadership and the individual(s) responsible for day-to-day security management (CISO, ISO, CIO, etc.).

Committee membership should include individuals with the authority to represent different parts of the organization and those who can champion cybersecurity initiatives. Ideally, this includes leaders from various business units, and the committee size should be manageable (e.g., 6-8 members).

CISO, ISO, CIO, etc. (Dedicated Security Leadership)

This is the individual or team responsible for the daily management of cybersecurity. Their specific title may vary (Chief Information Security Officer, Information Security Officer, Chief Information Officer with security responsibilities, Director of IT Security, etc.).

This role is accountable for ensuring that the strategic direction set by leadership and the Information Security Committee is translated into practical implementation, in accordance with established policies and business processes. Their responsibilities must be clearly documented, communicated, and their performance measured.

Typical responsibilities may include:

Ensuring compliance with all applicable cybersecurity requirements (e.g., legal, regulatory, contractual).
Developing and maintaining plans and procedures for business continuity and disaster recovery related to information systems.
Ensuring that organizational personnel are adequately trained on cybersecurity policies, processes, standards, and guidelines.
Reporting annually (or more frequently as needed), in coordination with senior management, to the Information Security Committee on the effectiveness of the Cybersecurity Program, including progress on remediation efforts.
Leading a dedicated function with the necessary mission and resources to support the organization's compliance with cybersecurity requirements.
Assessing risks and the potential impact of unauthorized access, use, disclosure, disruption, modification, or destruction of organizational information and systems.
Developing and maintaining cybersecurity policies, procedures, and control techniques throughout the lifecycle of all organizational information systems.
Facilitating the development of subordinate plans for securing networks, facilities, and systems.
Ensuring that all personnel, including contractors, receive appropriate cybersecurity awareness training, including incident response and management.
Training and overseeing personnel with significant cybersecurity responsibilities.
Implementing and maintaining a process for planning, implementing, evaluating, and documenting remedial actions to address any weaknesses in the organization's cybersecurity policies, procedures, and practices.
Developing and implementing procedures for testing and evaluating the effectiveness of the Cybersecurity Program against stated objectives (e.g., penetration testing, vulnerability assessments).
Reviewing and managing the cybersecurity policy exception request process.

In essence, this role takes the strategic direction from leadership and the Information Security Committee and puts it into action.

All Employees, Contractors, Vendors, and Third Parties

Everyone connected to the organization has a role to play in cybersecurity. It's not solely an IT concern. Initial responsibilities for all personnel may include:

Understanding all cybersecurity policies that constitute the organization's Cybersecurity Program.
Using organizational information and resources in compliance with all Cybersecurity Policies.
Seeking clarification from the Information Security Committee on any unclear cybersecurity-related matters.
Communicating regularly with the Information Security Committee by providing feedback and reporting potential security concerns.

While these responsibilities may seem like common sense, a proactive approach to cybersecurity requires clear articulation and reinforcement of these expectations.

Building the Cybersecurity Program: A Step-by-Step Approach

With governance established, you can begin the process of building your cybersecurity program through a structured approach.

Choose a Standard or Framework

Selecting a cybersecurity standard or framework provides a set of best practices and guidelines to aim for. While leadership doesn't need to be involved in the detailed selection process, it's important to be aware that a standard has been chosen and which one it is. This task can be effectively delegated to the Information Security Committee and/or the dedicated security leadership.

Some widely recognized and valuable standards and frameworks include:

ISO/IEC 27001: The leading international standard for information security management systems (ISMS).
NIST SP 800-53: A comprehensive catalog of security and privacy controls widely adopted by various organizations.
COBIT (Control Objectives for Information and Technology): A framework focused on the governance and management of enterprise IT.
NIST 2.0 Cybersecurity Framework: A flexible and risk-based approach to managing cybersecurity risks, referencing various other standards.

Choosing a standard or framework provides your organization with a baseline of controls to implement and against which to measure your progress.

Develop Policies

Once a standard or framework is selected, the next step is to develop your cybersecurity policies. These provide the foundational framework for all cybersecurity initiatives within the organization. While leadership typically doesn't write these policies, it's crucial to review and approve them.

Three key actions are required at this stage:

Develop and document a policy approval process: This process should align with your established governance structure and organizational culture, outlining the steps for creating, reviewing, and approving policies.
Determine which policies should be written: The chosen standard or framework will guide policy development. Policies should address all aspects of your organization's security requirements and operations.
Write, approve, and adopt (enforce) policies: Policies should be clear, concise, and easily understood. They must be formally approved by leadership and then actively adopted and enforced throughout the organization.

Develop and Approve Policies

When determining which policies to write, consider:

Alignment with the chosen standard/framework: The standard will guide policy development.
Policy as the basis for all security actions: Every security activity should be authorized and supported by a documented policy, providing the basis for enforcement.
Policy structure for easy reference: Policies should be structured logically for quick access to necessary information (e.g., shorter, topic-specific policies). An overarching cybersecurity policy supported by specific issue-based policies is a good approach.
Mandatory leadership approval and organization-wide compliance: All cybersecurity policies require leadership approval, and compliance is mandatory for everyone.

Approvae Policies

The policy approval process varies from organization to organization. The process you choose (or that your Information Security Committee chooses) should fit with your governance (see above) and your culture. The Figure below depicts a simple and effective policy approval process.

Implement and Enforce Policies

With policies in place, you can begin to implement the standards, guidelines, procedures, and technologies that enable your organization to comply with the policy provisions. It's important to understand three key aspects of policy implementation and enforcement:

Approval does not equal implementation: An approved policy signifies management's direction. Full implementation involves putting the necessary controls, processes, and technologies into practice. This can take time.
Policies are ineffective without enforcement: Consistent enforcement is crucial for policies to have practical value. Leadership's commitment includes ensuring this enforcement.
Establish an exception process: A documented process should exist for handling situations where strict compliance with a policy provision is not immediately feasible. Policy exceptions should be reviewed and approved by the Information Security Committee and reviewed regularly (at least annually).

At this stage, a manageable and effective Cybersecurity Program lifecycle has begun.

Regular Reporting

Organizational leadership should receive regular updates on the Cybersecurity Program and any significant security events. A quarterly basis is a good starting point. These updates should provide insights into:

The organization's most significant cybersecurity risks.
The costs associated with the cybersecurity program.
How cybersecurity efforts contribute to customer retention and acquisition.

The alignment of cybersecurity goals with overall business objectives.

Leadership's role in compliance and key initiatives.

Summary

Organizations must prioritize the development and adoption of a robust Cybersecurity Program. Leadership's active participation and commitment have a direct and significant impact on how well sensitive information is protected. While many tasks can be delegated, the ultimate responsibility for cybersecurity cannot.

The Cybersecurity Program development process involves: Leadership Commitment

With a Cybersecurity Program firmly in place, the organization can transition to ongoing management and continuous improvement, providing greater confidence in its ability to protect its assets and meet stakeholder expectations.

If you need help building your information security program—regardless of if it’s from square one or just to make top-end improvements—reach out to us at https://cyberatos.com/contacts.