Building a Cybersecurity Program | Cybersecurity Policy

Slide 1 of 14  |  CSP-W2-01  |  Week 2
Building a
Cybersecurity Program
Strategy  •  Governance  •  Operations  •  Maturity  •  Metrics  •  Continuous Improvement
A cybersecurity program is not a product you buy or a tool you install. It is an organizational capability -- a living system of people, processes, and technology governed by policy and driven by risk. This deck covers how programs are designed, measured, and matured from initial concept to continuous operation. Whether you are building from scratch or inheriting an existing program, these are the components that determine success or failure.
14 Slides CSP-W2-01 Week 2 CIS2208 -- Cybersecurity Policy
Slide 2 of 14
What Is a Cybersecurity Program?
Three interdependent layers that transform security from reactive firefighting into a strategic organizational function.
STRATEGY Mission alignment, risk appetite, investment priorities, business objectives GOVERNANCE Policies, standards, oversight, accountability, compliance frameworks OPERATIONS Detection, response, patching, monitoring, incident handling, day-to-day defense FEEDBACK LOOP
Strategy
Defines why the program exists and what it must protect. Aligns security investments with business objectives and risk appetite. Strategy is set by executive leadership and the CISO. Without strategy, security teams solve the wrong problems with the wrong priorities.
Governance
Translates strategy into enforceable rules. Policies, standards, and procedures create the framework that tells the organization what is required, what is acceptable, and what is prohibited. Governance ensures accountability through oversight and audit.
Operations
Executes the program day to day. SOC analysts, incident responders, vulnerability managers, and security engineers do the work that governance mandates and strategy funds. Operational data feeds back into strategy through metrics and lessons learned.
Key Insight
Most organizations start with operations -- buying firewalls, deploying antivirus -- and never build governance or strategy. That creates a reactive posture where every incident is an emergency and spending has no direction. Mature programs build top-down: strategy drives governance, governance directs operations.
Slide 3 of 14
People, Processes, Technology
The three pillars of any cybersecurity program. Technology alone cannot solve security problems -- it requires trained people following defined processes.
RISK MANAGEMENT FOUNDATION PEOPLE Hiring Training Awareness Culture Retention PROCESSES Policies Procedures Playbooks Workflows Audit cycles TECHNOLOGY SIEM / SOAR EDR / XDR Firewalls IAM / PAM Scanners CYBERSECURITY PROGRAM
People (60% of the equation)
The most expensive and most critical pillar. Includes security staff, executive sponsors, and every employee who clicks links or handles data. The global cybersecurity workforce gap exceeds 3.4 million. Retention is as important as hiring.
Processes (30% of the equation)
Documented, repeatable procedures that ensure consistency regardless of who is on shift. Without processes, security depends on individual heroics. Processes must be tested, reviewed, and updated. A playbook nobody follows is decoration.
Technology (10% of the equation)
Tools amplify people and automate processes -- they do not replace either. Buying a SIEM without staff to monitor it or runbooks to guide response is wasted budget. Technology is the enabler, not the solution.
Common Failure
Organizations chronically over-invest in technology and under-invest in people and processes. A $500,000 SIEM generating 10,000 alerts per day with two junior analysts and no triage playbook produces alert fatigue, not security. The tool works; the program does not.
Slide 4 of 14
Cybersecurity Maturity Models
Maturity models provide a structured path from ad-hoc security to optimized, continuously improving programs.
LEVEL 1 Initial LEVEL 2 Managed LEVEL 3 Defined LEVEL 4 Quantitative LEVEL 5 Optimizing INCREASING MATURITY
CMM (Capability Maturity Model)
Originally from Carnegie Mellon for software engineering, adapted for cybersecurity. Five levels from ad-hoc to optimizing. Provides a universal language for measuring organizational capability. Many industry frameworks map their maturity scales to CMM levels.
C2M2 (Cybersecurity Capability)
Department of Energy model for critical infrastructure sectors. Focuses on ten domains including risk management, asset management, and situational awareness. Uses MIL (Maturity Indicator Level) scores 0-3. Free, self-assessment-based, and sector-agnostic despite its origins.
CMMC (Cybersecurity Maturity Model Cert.)
Department of Defense requirement for all defense contractors. Three levels (Foundational, Advanced, Expert) mapped to NIST SP 800-171 controls. Level 2+ requires third-party assessment. Non-compliance means losing government contracts -- it is a business survival requirement.
Why Maturity Models Matter
Maturity models answer two questions: "Where are we now?" and "What does the next level look like?" Without a maturity model, organizations cannot objectively measure progress, benchmark against peers, or justify investment to leadership. They also prevent the common trap of jumping from Level 1 to Level 5 ambitions -- you cannot skip levels.
Slide 5 of 14
Security Program Components: The Policy Hierarchy
Four layers of documentation, each serving a distinct purpose. Confusing them leads to unenforceable, ignored policy.
POLICIES Mandatory / What STANDARDS Mandatory / How PROCEDURES Step-by-step / Who & When GUIDELINES Recommended / Optional best practices Board-approved CISO-approved Team-authored Advisory ENFORCEMENT
Policies
High-level, mandatory statements approved by executive leadership or the board. State what the organization will and will not do. Example: "All sensitive data must be encrypted at rest and in transit." Policies are technology-agnostic and change infrequently.
Standards
Mandatory specifications that define how policies are implemented. Example: "Encryption must use AES-256 for data at rest and TLS 1.3 for data in transit." Standards are technology-specific and updated as technology evolves.
Procedures
Step-by-step instructions for carrying out standards. Answer who does what, when, and in what order. Example: "The database team configures AES-256 using the following steps..." Procedures are operational documents maintained by the teams that execute them.
Guidelines
Non-mandatory recommendations and best practices. Provide flexibility where rigid rules are inappropriate. Example: "When selecting a password manager, prefer tools with FIDO2 support." Guidelines suggest; they do not mandate.
Common Mistake
Writing a 60-page document and calling it a "policy" when it contains policies, standards, procedures, and guidelines mixed together. The result is unreadable, unenforceable, and impossible to maintain. Each layer must be a separate document with its own approval authority, review cycle, and audience.
Slide 6 of 14
Security Operations: SOC, SIEM, and Incident Response
The operational engine of the cybersecurity program -- where detection, analysis, and response happen in real time.
FIREWALLS ENDPOINTS / EDR CLOUD LOGS IAM / AUTH EMAIL GATEWAY SIEM Correlation Detection rules Alerting SOC ANALYSTS Tier 1: Triage Tier 2: Investigation IR TEAM Containment Eradication ESCALATE SOAR -- AUTOMATION & ORCHESTRATION
SOC (Security Operations Center)
The nerve center of security operations. SOC teams monitor, detect, and respond to threats 24/7. Tiered structure: Tier 1 triages alerts, Tier 2 investigates, Tier 3 hunts for advanced threats. Can be in-house, outsourced (MSSP), or hybrid.
SIEM (Security Information & Event Mgmt)
Aggregates logs from all sources, correlates events, and generates alerts based on detection rules. Modern SIEMs process millions of events per second. Without tuning, they generate overwhelming noise. With tuning, they are the single pane of glass for threat detection.
Incident Response Team
Activated when alerts become confirmed incidents. Follows a structured methodology: preparation, identification, containment, eradication, recovery, and lessons learned (NIST SP 800-61). The IR plan must be documented, tested via tabletop exercises, and updated after every major incident.
Slide 7 of 14
Vulnerability Management Program
A continuous cycle of discovering, prioritizing, and eliminating weaknesses before attackers exploit them.
DISCOVER PRIORITIZE REMEDIATE VERIFY REPORT CONTINUOUS CYCLE
Discover -- Scanning
Automated vulnerability scanners (Nessus, Qualys, Rapid7) identify known weaknesses across networks, hosts, and applications. Scans run on schedule -- weekly for critical assets, monthly for others. You cannot fix what you have not found.
Prioritize -- Risk-Based Ranking
Not all vulnerabilities are equal. CVSS scores provide severity, but context matters more. A critical vulnerability on an internet-facing server with sensitive data is a different risk than the same CVE on an isolated test machine. Prioritize by exploitability, asset value, and exposure.
Remediate -- Patch & Mitigate
Apply patches, update configurations, or implement compensating controls. Remediation has SLAs: critical vulnerabilities within 48 hours, high within 7 days, medium within 30 days. When patching is not possible, document the risk acceptance with compensating controls.
Verify and Report
After remediation, rescan to confirm the fix worked. Report metrics to leadership: total vulnerabilities, mean time to remediate, percentage of assets scanned, SLA compliance rate. A vulnerability management program without metrics is a hope-based strategy.
Slide 8 of 14
Third-Party Risk Management
Your security is only as strong as your weakest vendor. Supply chain attacks and vendor breaches are among the fastest-growing threat vectors.
IDENTIFY Vendor inventory ASSESS Risk tier classification DUE DILIGENCE SOC 2, pen test CONTRACT SLAs, breach notification MONITOR Ongoing assessment OFF- BOARD THIRD-PARTY RISK MANAGEMENT LIFECYCLE SUPPLY CHAIN DUE DILIGENCE SolarWinds, Kaseya, Log4j -- your vendors' vulnerabilities are your vulnerabilities
Vendor Assessment
Classify vendors by risk tier based on data access, system connectivity, and business criticality. Tier 1 vendors (access to sensitive data or critical systems) require SOC 2 Type II reports, penetration test results, and security questionnaires. Tier 3 vendors may only need basic due diligence.
Contractual Controls
SLAs must include breach notification timelines (72 hours is standard), right-to-audit clauses, data handling requirements, and termination provisions. If your vendor is breached, your contract determines whether you learn about it in 24 hours or 6 months.
Supply Chain Risk
SolarWinds (2020) compromised 18,000 organizations through a trusted software update. Kaseya (2021) reached 1,500 businesses through a managed service provider. Your security perimeter now extends to every vendor, every library, every SaaS tool your organization uses.
Continuous Monitoring
One-time assessment is insufficient. Use continuous monitoring platforms (BitSight, SecurityScorecard) to track vendor security posture over time. Require annual reassessment for Tier 1 vendors. Vendors who pass assessment today may fail it tomorrow.
Slide 9 of 14
Metrics and KPIs
What gets measured gets managed. Without metrics, security is a black box that leadership cannot evaluate, fund, or improve.
SECURITY PROGRAM KPI DASHBOARD MTTD 4.2h Mean Time to Detect MTTR 18.6h Mean Time to Respond PATCH SLA 94% Compliance Rate PHISHING 3.1% Click Rate AUDIT 7 Open Findings 12-MONTH TREND Jan Jun Dec
MTTD / MTTR
Mean Time to Detect measures how quickly threats are identified. Mean Time to Respond measures how quickly they are contained. Together they define your organization's speed of defense. Industry average MTTD for breaches: 204 days. Best-in-class: under 24 hours.
Patch Cadence & Compliance
Percentage of systems patched within SLA windows. Track by severity: critical (48h), high (7d), medium (30d). A program that patches 95% of critical vulnerabilities within 48 hours has a fundamentally different risk posture than one at 60%.
Phishing & Audit Findings
Phishing click rate measures human risk -- industry average is 10-15%, well-trained organizations achieve under 3%. Open audit findings track compliance gaps. Both are leading indicators: rising click rates predict future incidents; growing audit backlogs predict regulatory trouble.
Metric Selection Principle
Choose metrics that drive behavior, not just measure activity. "Number of alerts generated" is an activity metric -- it does not tell you anything useful. "Percentage of critical alerts resolved within 4 hours" drives urgency and accountability. Every metric should answer a question that matters to the business.
Slide 10 of 14
Budget Justification: Communicating Risk to the Board
Security leaders must translate technical risk into business language. The board does not fund SIEM licenses -- they fund risk reduction.
40% Personnel 25% Technology 15% Managed Services 10% Training 10% Compliance / Audit Industry average: 6-14% of IT budget Avg. breach cost: $4.45M (2023)
Risk Quantification
Translate risk into dollars. Use annualized loss expectancy (ALE = ARO x SLE). Example: if ransomware has a 25% annual probability (ARO) and average cost of $2M (SLE), the ALE is $500K. Spending $200K on prevention with 80% risk reduction yields positive ROI.
Board Communication
Boards understand revenue, liability, and reputation -- not CVEs and CVSS scores. Frame security in terms they care about: "This investment reduces our probability of a reportable breach by 40%." "Compliance failure risks $50M in federal contract revenue."
ROI of Security
Compare cost of controls against cost of incidents. Include direct costs (remediation, legal, notification) and indirect costs (stock price impact, customer churn, regulatory fines). IBM's 2023 Cost of a Data Breach report: organizations with mature programs saved $1.76M per breach.
Budget Defense Strategy
Present three options: minimum viable (critical gaps only), recommended (balanced risk reduction), and aspirational (industry-leading posture). Let the board choose their risk appetite. Never present a single number without context -- context creates informed decisions.
Slide 11 of 14
Program Assessment: Gap Analysis and Continuous Improvement
Assessment is not a one-time event. It is a recurring discipline that identifies where you are, where you need to be, and how to close the distance.
ASSESS Current state IDENTIFY Gaps IMPLEMENT Improvements MEASURE Results PLAN-DO CHECK-ACT NIST CSF ISO 27001 CIS Controls Readiness reviews Tabletops
Gap Analysis
Map your current controls against a target framework (NIST CSF, ISO 27001, CIS Controls). For each control area, score your current implementation level against the required level. The delta is the gap. Gaps are prioritized by risk impact, not alphabetical order.
Readiness Reviews
Test your program before attackers do. Tabletop exercises simulate incidents with no-cost, discussion-based walkthroughs. Purple team exercises combine red and blue team activities. Penetration tests validate technical controls. Each method tests a different layer of readiness.
Continuous Improvement
After every incident, exercise, and audit, conduct a lessons-learned session. Document what worked, what failed, and what must change. Feed findings into the next assessment cycle. Programs that do not evolve become obsolete -- threat actors never stop adapting.
Assessment Cadence
Full gap analysis annually. Tabletop exercises quarterly. Vulnerability assessments monthly. Penetration tests annually or after major changes. Audit findings reviewed monthly. The cadence creates rhythm -- and rhythm creates discipline.
Slide 12 of 14
Case Study: Building a Program From Scratch
Two organizations, two scales, one framework. The components are the same -- the scope and budget differ.
Small Business (50 employees, $50K budget)
Year 1 Priorities:
-- Risk assessment using CIS Controls v8 Implementation Group 1 (43 safeguards)
-- Written acceptable use policy, password policy, incident response plan
-- MFA on all accounts, endpoint protection, email filtering
-- Security awareness training (KnowBe4 or equivalent, ~$3/user/month)
-- Managed SIEM through MSSP ($2-4K/month)
-- Vulnerability scanning (Qualys free tier or OpenVAS)
-- One person designated as security lead (partial role)
Enterprise (5,000 employees, $5M budget)
Year 1 Priorities:
-- Full NIST CSF gap analysis with third-party assessor
-- Policy suite: 15+ policies with standards and procedures
-- Dedicated SOC (6-8 analysts, 24/7 coverage)
-- Enterprise SIEM (Splunk/Sentinel) with SOAR automation
-- Formal vulnerability management program with SLAs
-- Third-party risk management program (50+ vendor assessments)
-- CISO reporting to CEO/board, dedicated security budget
What They Share
Both need written policy, risk assessment, incident response capability, vulnerability management, access controls, and security awareness. The components are identical -- the implementation depth varies. A $50K program is not a lesser version; it is a right-sized version.
Common Failure: Small Biz
Assuming "we are too small to be targeted." 43% of cyberattacks target small businesses. Ransomware does not check your revenue before encrypting your files. The SMB failure mode is no program at all -- not a bad program.
Common Failure: Enterprise
Buying every tool on the Gartner Magic Quadrant without integration or staffing plans. Shelfware -- purchased but unused security tools -- wastes millions annually. The enterprise failure mode is program complexity without program coherence.
Key Principle
Start with risk, not tools. Both organizations begin by asking: "What are our most valuable assets? What are the most likely threats? What controls reduce the most risk per dollar?" The answer drives the program, not the vendor pitch deck.
Slide 13 of 14
Key Takeaways
The essential principles for building and sustaining a cybersecurity program.
01 A cybersecurity program is a strategic organizational capability built on three layers: strategy, governance, and operations. Starting from the bottom up creates reactive, unfocused security.
02 People, processes, and technology are the three pillars -- in that order of importance. Technology amplifies human capability; it does not replace it.
03 Maturity models (CMM, C2M2, CMMC) provide the roadmap from ad-hoc to optimized. You cannot skip levels. Know where you are before deciding where to go.
04 The policy hierarchy -- policies, standards, procedures, guidelines -- must be maintained as separate documents with distinct approval authorities and audiences.
05 Security operations (SOC, SIEM, IR) form the detection and response engine. Without tuning, staffing, and playbooks, tools generate noise, not security.
06 Vulnerability management is a continuous cycle: discover, prioritize, remediate, verify, report. SLAs enforce accountability. Metrics prove effectiveness.
07 Third-party risk management extends your security perimeter to every vendor and supplier. Contractual controls and continuous monitoring are non-negotiable.
08 Metrics drive improvement: MTTD, MTTR, patch cadence, phishing click rate. What gets measured gets managed. What gets reported to the board gets funded.
09 Budget justification requires translating technical risk into business language. Boards fund risk reduction, not technology purchases. Use ALE and ROI frameworks.
10 Continuous improvement through gap analysis, readiness reviews, and lessons learned is what separates a living program from a document gathering dust.
Bottom Line
A cybersecurity program is never finished. It is a living system that must evolve with the threat landscape, business needs, and regulatory environment. The organizations that survive are the ones that treat security as a continuous discipline, not a one-time project.
Slide 14 of 14
Presentation
Complete
Building a Cybersecurity Program -- 14 slides
Strategy  •  Governance  •  People/Process/Tech  •  Maturity Models  •  Policy Hierarchy  •  SOC/SIEM/IR  •  Vulnerability Mgmt  •  Third-Party Risk  •  Metrics  •  Budget  •  Assessment
CIS2208 Cybersecurity Policy Week 2