Where to start when your security program has no plan
Before tools, before audits, before a single new hire — the first job is deciding what "better" means, and in what order.
Most organizations don’t decide to skip having a security plan. They just never make one. The work arrives in pieces — a vendor questionnaire here, a scary headline there, a board member who read something on a flight — and the response is to buy a tool, chase a framework, or hire fast. A year later there’s spend, there’s activity, and there’s still no answer to a simple question: are we actually more secure, and how would we know?
The first move isn’t technical. It’s deciding what you’re protecting, what would genuinely hurt to lose, and what “good enough” looks like for a business your size. Everything useful follows from those three answers. Here’s the order we recommend.
1 · Start with what you’re protecting
You can’t prioritize risk to things you haven’t named. Before any assessment, write down what matters: the data you hold, the systems the business can’t run without, and the obligations you’ve taken on — contracts, regulations, customer promises. This doesn’t need to be exhaustive on day one. It needs to be honest. A short, accurate inventory beats a sprawling one nobody trusts.
2 · Name the few risks that would actually hurt
A risk register with two hundred rows is a filing project, not a plan. Instead, name the handful of scenarios that would genuinely set the business back: customer data exposed, operations halted for a week, a wire sent to the wrong account, a key system held to ransom. For each, ask how likely it is and what it would cost. The point isn’t precision — it’s agreement on where the real exposure sits.
Maturity isn’t doing everything. It’s doing the right things, in the right order, on purpose.
3 · Decide what “good enough” looks like
There’s no finish line in security, but there is a target state that fits your business, your risk tolerance, and your resources. A ten-person company and a regulated mid-market firm should not be aiming at the same posture. Define the level you’re trying to reach in plain terms — “we can detect and recover from a ransomware event within a day,” not “we will implement control 8.7.” The framework can come later; the intent comes first.
4 · Sequence the first ninety days
With the targets set, the roadmap mostly writes itself. The early wins are almost always the same, because they cut the most risk for the least effort:
- Get visibility — know what devices, accounts, and cloud services you actually have.
- Turn on multi-factor authentication everywhere it’s available, starting with email and admin accounts.
- Make sure backups exist, are isolated, and have been restored at least once.
- Establish a patching cadence for the systems that matter most.
None of this is glamorous, and that’s the point. The deeper work — testing, threat modeling, formal compliance — lands better once the basics hold.
5 · Then talk tools and audits
Tools and audits are how you accelerate and prove a plan — not a substitute for having one. A platform bought before you know what you’re protecting tends to become shelfware. An audit run against an immature program tends to produce findings you already knew. Sequence them after the plan, and they earn their cost.
A plan doesn’t make you secure on its own — but it’s the difference between spending with intent and spending out of anxiety. It turns a vague sense of exposure into a sequence of decisions you can actually make. That’s the work.
Write a single page that names what you're protecting, the three risks that would hurt most, and what "good enough" means this year. That page is the start of a security program. Everything else is execution.
OP4 is an adversary-informed cybersecurity consulting firm. We help organizations identify gaps, mature their security programs, and make better security decisions. Get in touch →