back to blog

How to build a cybersecurity program from the ground up.

management consulting

Like most IT systems and processes, things grow organically and it’s hard to know where to start or how to build a cybersecurity program.   I will spare the reader raves and rants about security tools, testing, and individual successes and focus on a recommendation that comes from a seven-year journey in building a security program. 

There are so many sources of information about how and what to do so I will leave the reader to search on their own.   Here is my approach:

Step 1:  Work with company leaders to make security a top priority and meet weekly with leaders that appropriately cover the entire organization once a week.  It’s totally appropriate to cancel the weekly security meeting if there are no issues to report on or other priorities arise.   Just knowing that time is dedicated to your security program and leaders have an ongoing meeting will keep the topic in mind.   A separate security-focused meeting also ensures that business priorities handled by the appropriate groups.

Step 2: Try to keep your security policy in one document and review several times a year.    Never make policies for things that you want to happen, make policies for things that can create a technical control or monitoring that will alert on violations.   My preferred name for the Security Policy is the “Acceptable Use Policy”.   Simple starting point for security policy are items like minimum password length and maintaining appropriate settings on your computer.

Step 3: Map existing systems to the NIST 5, SANS 20, or Cybersecurity Framework of your choice.  For regulated industries, complete security checklists to identify critical elements and identify missing items.

Step 4: With a mind to automated reporting, autonomous testing and change management implement each item of the security framework.    It may not be obvious but the NIST 5 and SANS 20 Critical Frameworks are listed in order of importance.  All these frameworks start with hardware and software inventories, so start there.

Management Consulting, Staffing, and Recruiting:
The HT Group is a comprehensive management consulting, staffing, and recruiting agency in Austin, built upon the foundation of integrity, transparency, and trust. Deeply rooted in its communities, The HT Group’s philosophy is to change lives, one job or project at a time. With an agile core, The HT Group team delivers services through contract, retained search, direct-hire, management consulting and advisory services. The HT Group strives to go above and beyond and truly empower its clients.

See Our Executive Advisor Team