If you have or need a cyber security program, the following steps can be used to develop or improve it.

• Establish a governance model. This can be a document or set of documents or a document management product. Start simple. Governance evolves with the program.

• Low hanging fruit. Address any obvious first steps, such as controlling malware protection, security awareness, creating backups, or response planning.

• Identify the information assets and the technologies that use and manage them.

• Consider threats and vulnerabilities. What could attack your business? How? What could disrupt or compromise your information assets? Where is your business vulnerable to an attack?

• Consider the risks. What could happen to the information assets? What is the likelihood? What impact does losing them have on your business? Implement risk management.

• Implement controls for each information asset risk. Consider how the assets can be protected and how they can be recovered if compromised.

• Plan response and recovery to handle incidents quickly and minimize damage.

• Monitor and measure threats, vulnerabilities, risks, and controls. Periodically assess the program, making adjustments as needed.

Lots of detail in that, but you can be flexible on the level.