Building A New Cybersecurity Program From Ground Up

Hi y'all,

For you folks that have done this before (or know of people that have done it) what is the most effective or easiest resource to build a cybersecurity program from the ground up specifically for a company with less than 1000 employees. If you know of an effective resource that applies to companies of all sizes please share as well. As always, thanks in advance for the participation, engagement, and tips.

btw, I did research through Google and found the links below but they seem to be more of summarizations and opinions.
-- Link1 >> https://www.lbmc.com/blog/build-cybersecurity-program/
-- Link2 >> https://blog.rsisecurity.com/how-to-build-an-information-security-plan-for-your-small-business/

eg

Find more posts tagged with

security from scratch

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

scasc

Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info.

egrizzly

scasc said:

Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info.

You bake awesome cake @scasc. Actually having the standards frameworks to build of is awesome.

scasc

egrizzly said:

scasc said:

Align your program to a framework which helps align security objectives with business objectives. NIST CSF is pretty good. Less laborious than 800-53 I believe. CIS-20 is also good. Fundamentally, you want to be asking the question "What is it that I am looking to achieve/protect and why?" ISO 27001 is OTT and I have never been in favour - though it has some good info.

You bake awesome cake @scasc. Actually having the standards frameworks to build of is awesome.

No problem - let us know if you need anything else. Frank Kim from SANS posted a great link on this.

https://www.frankkim.net/blog/how-to-make-sense-of-cybersecurity-frameworks

Check it out.

egrizzly

Great. much gratitude buddy.

scasc

No worries

egrizzly

The interesting thing too is that in a modern metropolitan area this can probably be done using a simulated or mock office of 100, 500, or 1000 employees, etc., since the baseline security posture is typically the same for the most part for businesses of those sizes in that type of location (modern city).

veritas_libertas

We used the CIS 20 Critical Controls as a framework to guide our security program development. It's worked well and maps easily to other frameworks.