Your Basket
Cyber security for any size of business
CREST member company
Team of friendly certified experts

Building a Cyber Security Program

A business guide to building a Cyber Security Program

Building a Cyber Security program is a big but essential step for any organisation. The goal of cybersecurity program is to protect the organisation from cyber threats. However, there is no single way to get to a point where you can say we are 100% cyber secure. With the dynamic nature of the threats coming into computing environments, the only way to be 100% cyber secure is not to exist.

You can, however, aim to be cyber resilient. Cyber resiliency is the ability to prepare for and adapt to changing conditions so you can withstand and recover quickly from interruptions to business.

There are three areas to Cyber Resilience that will form a solid cybersecurity program:

  1. Governance
  2. Testing & Assessment
  3. Monitoring & Detection




Governance is the administrative controls you place on your business. We can break it down into three sections:

  1. Policies and Procedures
  2. Education and Training
  3. Risk and Compliance Management

Policies and Procedures

An effective cybersecurity program needs balance. There is little point in implementing so much security that the profitability of the business is affected. The goal of a cybersecurity program is to keep a company or organisation at a desired security level. Governance, management, and a formal set of policies will serve as the basis of your cybersecurity program. This base, done properly, allows you to keep pace with a dynamic and evolving threat environment.

Every organisation is a little different. Your cybersecurity program will include policies and procedures as well as some plans. It can be challenging to keep up with evolving regulations and best practices that affect your organisation. That is where having a reliability advisory service is helpful.

Our cybersecurity consultants and experts can support you in planning and policy development. We are well-versed in various topics, including information security policies, incident response planning, and continuity of operations and disaster recovery.

If you are ready to strike out on your own we have an entire section on creating your Cyber Security Policy suite. Do bear in mind this is a starting point, but it will accelerate you forward a few months in your journey.

Read more about Cyber Security Policies


Education and Training

Cybersecurity is not all about technology. We have always said that cybersecurity is 70% about People, 20% about the process and the remaining 10% is the technology. People and processes are the largest components of every cybersecurity program. 

Having a solid cybersecurity program is excellent but useless unless you train your people in it. Every organisation will see significant benefits from teaching their people in the cybersecurity program and culture. 

Using security awareness training reminds people of appropriate behaviours. Good security training programs will teach your people specific skills and adopt a culture that will support the base of your cybersecurity program.

We offer a bespoke education and training program service delivered by our cybersecurity professionals. 

Read more about Cyber Security Training


Risk & Compliance Assessments

Assessing and managing risk requires a practised methodology to drive calculations that inform decision-making. We can help you assess, prioritise, and manage your security risks. We can aid in ensuring you comply with applicable regulatory standards, allowing you to reduce risk and enhance your organisation's security posture.

All of our assessments use NIST 800-30 Revision 1. We supplement the NIST standard with a host of regulatory, industry, and international standards.

Our suite of risk assessments can help you assess, prioritise, and manage your organisation's security risks. They will help enhance your people's understanding of your business processes as well as the existing control framework and the asset's criticality.


Read more about about Cyber Risk Assessments



Testing & Assessment

Testing & assessment is the continual testing of your Governance controls and your Monitoring & Detection controls to ensure they are working. There are three steps to good continual assessment:

  1. Vulnerability Assessments
  2. Penetration Testing
  3. Social Engineering

Vulnerability Assessments

Exploiting known vulnerabilities is the simplest way for cybercriminals to gain access to your organisation. Regular scanning of your network will identify these vulnerabilities so you can take steps to prioritise and remediate them. 

We offer automated vulnerability assessments for internal and external networks, applications and systems. The automated scans are human-reviewed by our pentest team and documented in an easy to read report. The findings are listed by severity and include remediation recommendations.

Our Vulnerability Scanning service is available as a subscription program. Being Human led, our pentesting team will set up your scans to run on a schedule to suit you and deliver actionable results to enable you to mitigate network vulnerability risk.


Read more about Vulnerability Assessments


Penetration Testing

Understanding how susceptible your connected world is to the exploits of a hacker is essential to every cybersecurity program. Comprehensive testing requires a skilled manual effort to determine if the vulnerabilities identified are exploitable. 

Our CREST and TIGER certified penetration testers would attempt to access your network through a myriad of techniques. We then guide you to help you prioritise mitigation and remediation efforts.

Our external perimeter testing methodology is based on the Penetration Testing Execution Standard and is continuously evolving to meet evolving best practices and form a standardised approach.

Our pentesting includes manual attack techniques, open-source intelligence gathering, and target environment-specific research. 

The final report includes the penetration testers test narrative along with details of the discovered vulnerabilities and all exploitation achieved. All vulnerabilities also include remediation recommendations.

With our internal pen testing service, you discover what an attacker could access once they have control of a device connected to your organisation's internal network. Our penetration testers use a set of sophisticated attack techniques to try to gain access to your valuable systems using a defined connection and scope. The final report details found vulnerabilities by severity for each device, along with remediation recommendations.


Read more about Penetration Testing


Social Engineering

Social engineering testing helps track the success of your cybersecurity awareness training programs and determine additional training needs. For the majority of organisations, Social Engineering testing should take place at least every six months and should complement penetration testing efforts. 

Part of Social Engineering is Phishing testing. Phishing testing assesses your employees' knowledge of anti-phishing best practices with our email phishing engagement. Our skilled pentesters will send emails to targeted employees attempting to entice them to browse an unknown website or open an attachment. The emails, written in HTML, are designed to identify both user and technical configuration vulnerabilities. All user activity is tracked to a specific email address.


Read more about Social Engineering



Monitoring & Detection

Monitoring and Detection are about looking inwards and outwards of your connected world.

Threat Detection

Cyber-attacks continue to evolve. The sophistication of cyber-attacks increases on an almost daily basis. Are you prepared for the inevitable cybersecurity incident? Reliable and consistent network analysis is essential to determine when an incident occurs. The quicker that you detect it, the easier it will be to contain it.

We recommend that all organisations use a managed threat detection and log forensics service that gives you an independent analysis of suspicious network activity from highly-trained security experts. 


Contact Us

Ask us a question, any question at all. As long as it has to do with Information Security / Cyber Security, we will get back to you with an answer.