The Do’s and Don’ts of Building a Cyber Security Programme

Do you have a security programme that needs beefing up? Or are you involved in a startup that’s still in the planning stages of information and cyber security?

Either way, it may not be clear what is needed and where to start.

Cyber security is essential for any business these days. If information is inadvertently leaked or stolen, the consequences can be dire. Large amounts of revenue may be lost and the damage to brand reputation may be irreparable. The stakes couldn’t be higher – all businesses need a robust security programme in place.

That’s why we’ve put together this short guide to give you some pointers as to what to do and what not to do when looking to build an effective security programme.

Do: Set out your objectives

It’s important to begin with setting out your objectives clearly. Why? Because the objectives will become the foundation of your security system. Without knowing your objectives, the system could either be too big unwieldy or too small and ineffective.

Firstly, when setting your objectives, you need to identify the type of business you’re involved in. In other words, is it a rapidly scaling startup or a mature company? The objectives will differ according to the maturity and size of your business. A lean startup will probably have a higher risk tolerance than a mature company where tolerance will be much lower.

As Todd Wade, Principal Consultant at CRMG notes, ‘Setting the right objectives early on will allow you to implement the correct controls to begin with.’

Do: Check out existing cyber security frameworks

There’s no need to reinvent the wheel and come up with your own list of security controls. Use a framework such as CIS20 or the ISF Standard of Good Practice for Information Security which describes best practices and security controls to put in place. These tried and tested frameworks can form the backbone of your security programme, then you can tailor it to suit your business requirements.

Do: Define a security strategy

It’s important not to go into building a programme blindly. You need to answer some fundamental questions about your company:

  • What’s your mission?
  • What’s your product?
  • Who’s running the company?
  • What are the investors and shareholders interested in?
  • How agile is your business?
  • How does this all fit in with cyber security concerns?

Once you’ve answered these questions, you’ll get a good idea of detailed security needs and can begin to set out a strategy and company-wide approach to cyber security. The CISO will probably need to create a 1- or 3-year roadmap for the CEO and Board.

To do this, they’ll need to understand what’s important to the CEO and the business. What does the CEO and Board value the most and what are the most critical assets to them? When it comes to the hard choices about what to protect – make sure you protect what the business values most first.

Don’t: Spend millions on a security ‘solution’

A common mistake that medium to large-sized companies make is spending millions implementing an “out-of-the-box” security solution that isn’t suitable for their business and doesn’t fit their cyber risk profile and regulatory requirements.

As Simon Rycroft, Director at CRMG points out, “spending millions on a security programme can slow down your business if you don’t get it right.” As noted above, the most important thing is to set out a strategy that suits your business and objectives and then the rest will follow.

Don’t: Neglect regulatory requirements

You need to create a security programme that fits your cyber security profile. But you also need to be mindful of regulatory requirements. Try to strike a balance between delivering what you need to meet the current regulation, but also cover your business objectives.

For instance, on top of any regulatory requirements, you may want to hold a senior management workshop on critical business activities and accompanying cyberthreats. This will make sure that the programme is tailored to your business.

Don’t: Overcomplicate the programme

The CISO of a company needs to ensure that the programme gets buy-in from the whole business, and most importantly the top brass. It is critical that the CISO sets the tone from the beginning and raises cyber awareness across the business. Therefore, it’s crucial not to muddy the waters by overcomplicating the way the programme is communicated. Keep things simple and in a language that everyone will understand.

In other words, don’t be overly technical. If you’re talking to the CEO for example about a budget for your security programme, don’t talk about the specifics of the latest hacks and security threats. Frame it in a way that explains the consequences. Make sure they understand the risks of a financial or brand reputation loss.


The most important things to do when setting up a cyber security programme are to set out your objectives and a clear strategy, then use existing frameworks as building blocks. However, you must make sure that you cover both regulatory requirements and the needs of the business as you do this.

Raising cyber awareness across the company by framing things in a way that people understand is important too. As Todd Wade observes, ‘You want people to view cyber security staff as partners in the business. Security is a team effort, so aim to get buy-in right from the beginning.’

Also, avoid spending lots of cash initially, as it could be money down the drain. Be pragmatic and resourceful instead. Simon Rycroft puts it like this, ‘If you’re a startup or in the early years of business growth, you’re likely to be on a restricted budget. Use your limited resources to pinpoint the areas to control, then build a strategy around that. Don’t waste money by just throwing tech solutions at cyber security and expecting the problem to go away.’

About the author

Nick Frost
Director, CRMG
Industry Specialism: Oil & Gas, Professional Services
Area of Expertise: Cyber Security Executive Management, Information Risk

For more information on how to build a cyber security programme, see the CRMG approach here.