Firestorm GlobalBook a conversation
← All insights
Strategy

Establishing a True Cybersecurity Program: From Good Habits to Durable Structure.

Tim Femister  ·  9 min read

Most organizations we work with are not starting from zero. They have deployed endpoint protection, they patch their systems, and some have MFA for key accounts. The foundation is there.

But there's a difference between having good habits and running a program. That difference is what determines your long-term risk posture.

Habits vs. Program

Good habits live with individuals; a program is sustained by the organization.

A good habit is "our IT director runs vulnerability scans." A program is "vulnerability scans run on a defined schedule, results are documented, remediation is tracked, and leadership reviews the trends."

A good habit is "we train staff on phishing." A program is "security awareness training is delivered quarterly, completion rates are tracked, phishing simulations run monthly, and results inform targeted follow-up."

The distinction matters because habits are fragile. They depend on the person who owns them. When that person leaves, changes roles, or just gets overwhelmed by competing priorities, the habit breaks. A program, by contrast, is documented, scheduled, and owned by the organization. It survives personnel changes.

Common Failure Modes

In most assessments we conduct, the gaps are in program structure rather than technology. Organizations have deployed good tools but haven't built the discipline around them to ensure they work consistently.

Here's where we see it most:

No Policy Library (or a Stale One)

Policies are the backbone of a security program. They define what your organization has committed to doing. Without them, security decisions are improvised. With outdated policies, you're operating under assumptions that may no longer match your environment.

Most organizations we assess either have no formal security policy library or have one that hasn't been meaningfully updated in three or more years. In a compliance context, outdated policies are nearly as problematic as absent ones.

No Defined Ownership

Security responsibilities exist across the organization, but in many cases nobody has formally defined who owns what. The IT director handles most things by default, but nobody has documented that HR owns access termination procedures, that finance owns payment card data security, or that facilities manages physical access controls. When ownership is assumed rather than assigned, gaps are inevitable.

No Cadence

Vulnerability scans, penetration tests, security awareness training, vendor reviews: all of these need to happen on a defined schedule. In organizations without a program, they happen when someone remembers. That means they happen inconsistently, and in many cases, important activities are months or years overdue.

No Governance Connection

Security operations and executive leadership often exist in separate worlds. The IT team makes security decisions. Leadership hears about security when something goes wrong or when budget is needed. There's no regular reporting structure connecting operational reality to strategic oversight.

Without governance, leadership can't make informed risk decisions. And without leadership engagement, security stays underfunded and under-prioritized.

No Tested Incident Response

Many organizations have some form of incident response plan. Far fewer have tested it. An incident response plan that has never been exercised will not function as one. When an incident begins outside business hours, the response runs on preparation, not on whoever happens to answer the phone.

The Curriculum Analogy

If you work in education, consider this parallel. A school with talented individual teachers but no curriculum framework produces inconsistent outcomes. Student experience varies dramatically by classroom. When a key teacher leaves, the program regresses because the knowledge and quality lived in that person, not in the institution.

Schools solve this by building curriculum: scope and sequence, learning objectives, assessment rubrics, and instructional frameworks. Individual teachers still bring their talent and expertise, but the program provides consistency and durability.

Cybersecurity programs work the same way. Your IT team brings the technical expertise. The program provides the structure that makes their work consistent, measurable, and sustainable.

What a Program Looks Like

A mature cybersecurity program doesn't require a large team or an enterprise budget. It requires structure, and building that structure is less about adding new activities than about connecting the activities the organization already performs (scans, training, vendor reviews, leadership updates) into a sustained rhythm with assigned ownership. Accountability in this context means something concrete: specific people own specific outcomes on specific timelines, and someone is tracking progress. The components:

  • Written policies that get reviewed and updated annually. At minimum: acceptable use, access control, incident response, data classification, vendor management, and business continuity.
  • Defined roles and responsibilities. Even if people wear multiple hats (and in most organizations, they do), document who owns what. Make it explicit.
  • A cadence for assessments, scans, training, and reporting. Put it on the calendar. Annual assessments, quarterly vulnerability scans, monthly phishing simulations, quarterly leadership reports, annual board reports.
  • Documented incident response with tabletop exercises. The plan should be written, accessible, and tested at least annually with a realistic scenario.
  • Vendor oversight as a process. An ongoing review cycle for vendors with access to your data or systems, rather than a one-time checklist at contract signing.
  • Leadership engagement through regular reporting. Quarterly reports to leadership, annual reports to the board. Keep them concise and focused on risk, progress, and priorities.

Where to Start

If you're reading this and recognizing that your organization has good habits but not a program, here's where to start. These three elements create the skeleton everything else hangs on:

1. Incident Response Plan

This is the most urgent gap to close. When an incident occurs, the cost of not having a tested plan is measured in days of downtime, dollars of recovery, and damage to trust. Write the plan, assign roles, document contacts (legal, insurance, law enforcement), and schedule a tabletop exercise.

2. Policy Library

Start with the essentials: acceptable use, access control, incident response, data protection, and vendor management. These five policies cover the highest-impact areas. They don't need to be long. They need to be clear, approved by leadership, and reviewed annually.

3. Governance Cadence

Establish a recurring schedule for security reporting to leadership. Quarterly is ideal. This single step creates accountability, visibility, and a natural rhythm for the rest of the program. When leadership expects a quarterly update, everything upstream (assessments, scans, training, remediation) gets done because someone has to report on it.

The Compounding Effect

Programs compound: each cycle starts from documented ground instead of memory. Your second risk assessment is more valuable than your first because you can measure change. Your third tabletop exercise is more effective because your team has built response instincts. Your policy library matures as it incorporates lessons learned.

The question is not whether your organization has good people doing good work; it almost certainly does. The question is whether that work is built on a foundation that will hold when those people move on, when budgets get tight, or when an incident tests everything you have built.

Have questions or need support with building a cybersecurity program? Start a conversation.