Building a Cybersecurity Program 101

By: Joseph Tso, CISSP

Building a cybersecurity program can seem like a challenging task especially when faced with all the regulations in the pipeline such as NYS DFS Cybersecurity Regulations and EU GDPR. Many organizations without a cybersecurity program are now required to create one. There seems to be confusion as to how to build one, and the standard question I usually hear is where do we even start? Creating a Cybersecurity program does not need to be complex, though it can easily be accomplished by starting with the fundamentals.

Know Your Data

Organizations fail at creating a cybersecurity program because they do not start with the fundamentals and instead start by focusing on acquiring security controls to check the box. The question I will always start with is; "Do you know what data you have and where does it reside?"  Understanding the types of data in your environment is essential. How can you protect your data if you do not know the types of data to protect? Start by creating a data classification policy that will categorize all the types of data that is in your organization. Understand what data is sensitive and what data is not. Once you have a data classification policy, start conducting a data flow mapping exercise on your sensitive data. Data flow mapping exercises allows you to map the flow of your data as it comes into your environment to where it is finally stored or the exit point. Do not overwhelm yourself on mapping every piece of data that comes into your organization; focus on the ones that are considered critical information assets such as sensitive data such as, intellectual property, Personal Identifier Information (PII) or Protected Health Information (PHI) information. Once you understand how the data comes in, where it gets stored, and travel, you can now start identifying controls to protect the data. 

Adopt a Framework

The framework will provide the structure for your cybersecurity program. There are many frameworks to follow such as NIST, COBIT, and ISO 27001. While ISO 27001 is considered the gold standards of frameworks to use, my recommendation for organizations starting a program for the first time is to use NIST ( or COBIT ( These two frameworks are straightforward to follow for companies trying to create cybersecurity program without the cost of hiring a third-party auditor to certify you are ISO 27001 compliant. Another framework that is also easy to follow would be the 20 CIS controls, which is well suited for a small business. Adopting a framework will make it easier to create and understand your cybersecurity program. 

Risk Management

The foundation for a cybersecurity program is based on risk management. Ron Ross, a renowned cybersecurity expert in an interview with, states, "Information risk management, at its core, is about trade-off. When you assess risk, as part of the risk management process, you're going to find things that are not quite right." Conducting a risk assessment is essential for any organization trying to understand their risks as it pertains to cybersecurity threats. Also, business impact analysis and gap analysis will provide important information that can be used as the focal point for your business decisions. Business impact analysis helps an organization to understand the impacts to a business function as it pertains to a cyber threat. A gap analysis will identify areas of controls or processes that are missing. The risk assessments must be tied to the business needs as it related to cyber threats. This is very important as the risk assessment becomes the foundation for finding a balance between security requirements and business needs. 

Program Governance

Once you have defined your cybersecurity program, make sure Senior Management will support it. Create a cybersecurity policy by defining the requirements for the program that will be followed in the organization. Ensure every policy written has a procedure and control. If the policy is missing a procedure or control, identify it as a gap, document it in your risk assessment, and create an action plan to resolve it. Never publish a policy without a procedure or control as this can create failures in your program and lead to a cyber incident/breach. Create a charter and milestones for the program to document the requirements and accomplishments. Review all elements in your cyber program at least annually and update it accordingly. Continuous improvement on your cybersecurity program will ensure it stays accurate and not outdated. Lastly, stay up to date on the latest cyber laws and regulations, cyber threats, and security controls.   

Program Harmony

A cybersecurity program must be a balance between security and business needs. Seek to achieve harmony and synergy with the organization. Over-applying security controls without involving the business will cripple the company. Attempting to create a cybersecurity program in a vacuum without understanding the fundamentals will cause similar harm. Do not over-think the necessities of the requirements and start slow. Designing a program does not happen overnight. You need to exhibit patience, but rest assure as you start your journey in creating the cybersecurity program using the fundamentals, you will see the results as the program starts coming together. 

Additional Resources:

GDPR Retention & Compliance Assurance


Friday, March 2nd, 2018 | 8:30am to 10am


Live Event Location
10 Melville Park Rd, Melville, NY

Simulcast Locations
750 Third Ave, 11th Flr, New York, NY
53 State St, 17th Flr, Boston, MA

Former White House Cyber Executive Christopher Mellen, along with executive compliance attorney Neguiel Hicks, will conduct an informative presentation on GDPR Retention and Compliance Assurance.

Join us and meet some of your peers and Marcum Technology Staff and learn about GDPR Retention & Compliance Assurance.