---

How to start your cyber security program?

A good start is just thinking about and writing down your important information assets, the threats to and impact of losing them, and taking steps to be prepared to respond and recover.

Building from the Information Security Model Canvas can organize the development or improvement of a program. Governance, documentation, and a cyber security policy are important parts. It shouldn’t be complex, but it does need to be written down.

See Starting Your Cyber Security Program for more details.

Pragmentum’s free self-assessment can help you jump start your program. See Pragmentum Services for details on our services and the free stuff on this site.

Another view of the steps is here.

---

What is a good security budget?

You can get started for very little capital and any kind of program makes a big difference.

Use of information, technology, and the type and depth of infrastructure you have in place drive the costs to identify, protect, detect, respond, and recover.

Of critical importance: know how the cyber security program’s investments help your business meet its objectives. Identify and focus on protecting the important parts.

---

What’s the most important action to take?

There is no clear winner, but some top contenders include:

• Risk assessments – It always starts with a risk assessment
• Inventory hardware and software – you can’t protect what you don’t know about (these are the top two of the Top 18 CIS Controls)
• Cyber Security Awareness – Most breaches trace to a lack of it
• Malware controls – on every endpoint, keeping them updated
• Documenting the program – a method to maintain and improve and to communicate to your team
• Backups – great to have if you lose your data or have it stolen in a ransomware attack
• Physical security – locking things up, addressing the risks associated with the physical world
• Measurement – meaningful metrics to monitor how the program is doing, if things are getting better or worse, and where it needs investment