Awareness

Cybersecurity awareness is crucial, as most breaches stem from a lack of it. Effective awareness training requires resources and funding.

Business Architecture

Documenting your capabilities, value streams, and organization structures to align your cyber security program to your business.

Documenting your business architecture helps keep your business and security objectives aligned and prioritized.

Business Security Objectives

What the cyber security program is to accomplish or how it can be made more effective.

Describing your vision and security roadmap helps focus and manage your cyber defense activities.

Security Program Objectives

The specific tasks and projects to develop, sustain, and improve your cyber security program.

Setting and keeping improvement focused on the important assets and risks.

Compliance, Audit, Regulators

Maintaining evidence of the program’s effectiveness. Activities and documentation about the state of the program to show its strengths and areas for improvement. Any legal or regulatory requirements your business must meet.

Compliance ensures adherence to security standards and legal requirements. Audits verify controls and identify gaps for improvement. Regulators set expectations, making compliance essential for risk management and trust.

Assessment, Investment

Looking at the state of the program, its value, and budgeting maintenance, monitoring, and improvements.

Assessment identifies risks and gaps, guiding security improvements. Investment ensures the resources needed to strengthen defenses and resilience.

Information
Risks *

Identifying the risks to the information assets.

Managing the risks to your information assets and developing response plans for potential events dramatically improves your security posture and your capability to get your business back up quickly and inexpensively after an incident.

Information Assets *

The information that your business uses. The crown jewels to consider and protect. The primary focus of information risk management.

Identifying, documenting, managing, and monitoring your information assets is a key step to develop a cyber security program.

* If you do nothing else, at least do something for these two (and malware control).

Security
Program

The primary parts of the business’s cyber security focus: the technical, administrative, and physical controls and the governance your business needs to develop, communicate, and keep the program effective. The policies, standards, and procedures that are the program.

Developing a structure for the elements of your cyber security program enhances management and effectiveness. They can be maintained as a set of documents or in an online repository, but it should get written.

Response & Recovery Strategy

Developing and maintaining incident management response and recovery.

Preparing for incidents is one of the most effective ways to strengthen your security, reduce downtime, and maintaining trust. By identifying key risks, planning your response, and practicing recovery steps, you can bounce back faster with less disruption and lower cost when something goes wrong.

Core Practices

Core practices are the day-to-day activities that keep your cybersecurity program running. They include tasks like patching systems, managing accounts, training staff, and monitoring for unusual activity. These practices form the foundation of your protection. Small, repeatable actions that reduce risk over time.

Physical Security

Building security and policies for handling physical assets.

Protecting your business means more than digital safeguards. Physical security includes locks, alarms, surveillance, and access controls all aimed at keeping your equipment, records, and workspaces safe. Clear policies for handling devices, storage, and facility access help ensure that sensitive information stays protected from theft, damage, or unauthorized use.

Data Management

How data is used and protected.

Data is at the core of every modern business. Managing it means knowing what data you collect, where it lives, who accesses it, and how it’s protected. Effective data management ensures that sensitive records are stored securely, backed up, retained appropriately, and shared only with trusted parties — reducing risk and supporting privacy, compliance, and recovery efforts.

Policies, Strategy – Controls, Standards

Policies – Concise documents that set boundaries and provide direction for your program, incident response, recovery, and information protection.
Strategy – Considering and documenting how you are going to accomplish your security goals.
Controls – The things in place to protect your business.
Standards – Informal or formal descriptions and procedures for cyber security activities.

Developing policies is essential, as they establish clear guidelines and expectations for all stakeholders. A well-defined strategy aligns the cyber security program with business objectives, ensuring a focused approach. Controls serve as the protective measures that mitigate risks and strengthen defenses. Standards document the program’s implementation, ensuring consistency and compliance.

Endpoints, Infrastructure – Users, Customers, 3rd Parties

Endpoints – Typically, the computers you or your team use.
Infrastructure – Other technology components used in your business.
Users – You and your people. Optionally, your customers and suppliers.
Customers – Consumers of your product and suppliers of any data you keep on them.
3rd Parties – Suppliers and other entities that you interact with.

Endpoints are critical assets that must be secured to prevent unauthorized access and data breaches. Infrastructure forms the backbone of the organization’s operations and requires robust protection to ensure availability and resilience. Users play a key role in cybersecurity, and their awareness and adherence to security practices and policies are essential. Customers trust the organization to safeguard their data, making security a fundamental responsibility. Third parties introduce additional risk, requiring vetting and continuous monitoring to ensure they meet security standards.

Threats

Threats include phishing, ransomware, insider risks, weak passwords, unpatched systems, supply chain disruption, insecure access, and data leaks.

Identifying and analyzing your threats focuses defenses and funding.

Vulnerabilities

Vulnerabillities include weak passwords and authentication, unpatched software, lack of cyber security awareness training, misconfigurations, 3rd parties, device theft, and inadequate backups.

Addressing these can prevent financial or data losses, disruptions, and reputational damage.

Governance and Change Control

Documentation is how the program functions. Find a safe place for a set of documents. Keep it simple to start. Then keep it simple.

The level of detail and structure should match the organization’s needs, culture, and appetite.

Program Oversight & Control

Clear leadership enables program results.

Oversight ensures that your cybersecurity program stays on track and aligned with your business goals. It includes assigning responsibility, tracking progress, managing risks, and making sure controls are implemented and working. Regular oversight turns good intentions into action and helps your program stay responsive to change.

Program Review

Planned periodic assessment of the state of the program.

The threats and risks are always evolving. Program review is the regular check-in to assess what’s working, what’s changed, and what needs attention. Reviews help identify gaps, update priorities, and keep your program aligned with your risks, obligations, and business growth.