Building a Security Program from Scratch
Building a security program from scratch means constructing the organizational capability to protect systems, data, and operations from cybersecurity threats when no formal program currently exists.
Continue your mission
Building a security program from scratch means constructing the organizational capability to protect systems, data, and operations from cybersecurity threats when no formal program currently exists.
# Building a Security Program from Scratch
Building a security program from scratch means constructing the organizational capability to protect systems, data, and operations from cybersecurity threats when no formal program currently exists. This is the starting position for most small and mid-market organizations: they have some security controls deployed (a firewall, antivirus, maybe MFA on some accounts) but no structured program that ties those controls into a measured, managed, and improving defense.
A security program is not a collection of tools. It is an operational system: assessed risk that drives prioritized controls, measured outcomes that inform investment, governance that sustains operations over time, and people who execute the work. This article provides the step-by-step path from "we have nothing formal" to "we have a functioning security program," organized by the PDM's campaign phases.
This is the map. CDA.Wiki is the territory. Every step below links to a detailed article that explains the what, why, and how.
You cannot defend what you have not assessed. The first phase is reconnaissance: understanding what you have, what you are exposed to, and where the gaps are.
The Foundational Recon Mission (FRM) is the single starting point. CDA's FRM assesses the organization's security posture across all six PDM domains and produces a quantified Posture Score per domain. The FRM is free. It takes 2 to 4 weeks. It tells you where you stand.
If you are building without CDA, the equivalent is a self-assessment against the CIS Controls v8 Implementation Group 1 (56 safeguards). Score yourself honestly against each safeguard: implemented, partially implemented, or not implemented. The result is your baseline.
Asset inventory. You cannot protect what you do not know exists. Inventory every system: endpoints (laptops, desktops, mobile devices), servers (physical and virtual), cloud resources (IaaS instances, SaaS subscriptions), network devices (firewalls, switches, access points), and IoT devices (cameras, printers, building systems). This is SPH-R01 territory: Security Posture and Hygiene starts with knowing what is in the environment.
Data inventory. Where does your sensitive data live? Customer PII in the CRM. Employee records in the HR system. Financial data in the ERP. Intellectual property in file shares. Email containing all of the above. This is DPS-R01: Data Governance and Data Classification start with knowing what data exists and where it resides.
Identity inventory. Who has access to what? How many user accounts exist? How many have administrative privileges? Are there shared accounts? Are there accounts for former employees that are still active? This is IAT-R01: Identity Governance and Administration and Active Directory Security start with knowing who is in the environment.
External attack surface. What can an attacker see from the internet? Attack Surface Management discovers internet-facing services, exposed management interfaces, misconfigured cloud storage, and dangling DNS records. This is VSD-R01.
Vulnerability baseline. What known vulnerabilities exist? A Vulnerability Management scan against your infrastructure produces the vulnerability inventory. This is VSD-R02.
Threat landscape. Who targets your industry? What techniques do they use? Threat Intelligence Operations provides the context that transforms generic security into targeted defense. This is TID-R01.
The assessment reveals dozens or hundreds of gaps. You cannot fix them all simultaneously. Prioritization determines what gets fixed first.
Five controls produce the most security per dollar for organizations starting from zero. Implement these in the first 30 days:
After the quick wins, use Risk Assessment and Quantification to prioritize the remaining gaps. For each gap, estimate: how likely is the threat? What is the impact if it materializes? What does the control cost? What risk reduction does it produce? Prioritize by return on security investment. The controls that produce the greatest risk reduction per dollar get funded first.
With priorities established, build the security program's operational infrastructure.
Security Policy Framework. Write the core policies: information security policy, acceptable use, access control, data classification, incident response, and business continuity. Policies provide the authority for every control you deploy. Without policies, controls have no governance backing.
Compliance Program Design. Identify which frameworks apply (SOC 2, HIPAA, PCI DSS, state privacy laws) and build the compliance infrastructure: evidence collection, internal audit, and multi-framework alignment. The Regulatory Compliance Landscape article maps which frameworks apply to which industries.
Security Budget Planning. Translate the risk assessment into a budget proposal. Allocate by PDM domain based on posture scores. Present to leadership in financial terms: risk reduction per dollar invested.
Build controls domain by domain, starting with the domains that scored lowest in the assessment:
IAT: Deploy MFA (if not done in quick wins). Implement Privileged Access Management. Harden Active Directory. Design Zero Trust Architecture and Secure Remote Access.
DPS: Implement Data Classification and Data Governance. Deploy Encryption at Rest and in Transit with proper Cryptographic Key Management. Deploy DLP. Build Backup and Recovery Architecture.
SPH: Harden endpoints against CIS Benchmarks. Deploy Email Security. Configure Firewalls with default deny. Implement Change Management. Launch Security Awareness Training.
VSD: Build the Vulnerability Management program. Automate Patch Management. Conduct Attack Surface Management. If you develop software, implement DevSecOps.
TID: Deploy SIEM Architecture with Log Management. Implement Security Automation and Orchestration. Establish Threat Intelligence Operations. Build toward Threat Hunting capability.
Security programs require people. The CISO Role (or vCISO for smaller organizations) provides strategic leadership. The SOC Analyst career path provides operational staffing. Security Certifications validate skills. If the organization cannot fund a full team, CDA's managed engagement model provides the operational capability.
Controls that have not been tested are assumptions. DRILL validates that the controls work.
Third-Party Penetration Testing. Annual external and internal pen tests validate whether the controls prevent an attacker from achieving their objective. The pen test report drives the next HARDEN cycle.
Disaster Recovery Testing. Restore from backup. Time it. Verify the data. If the RTO exceeds the target, fix the architecture. CDA runs every recovery drill with a stopwatch.
Tabletop Exercises. Walk through an incident scenario with the response team. Identify gaps in roles, communication, and procedures. Conduct quarterly.
Social Engineering campaigns. Test the human layer with phishing simulations. Measure click rate and report rate. Target the controls that Security Awareness Training builds.
Building a security program is a project. Operating a security program is a discipline. COMMAND sustains the program over time.
Continuous monitoring. Security Metrics and Reporting tracks posture scores, detection coverage, patch compliance, and incident trends. SOC Design provides the operational structure for 24/7 detection and response.
Continuous improvement. Every pen test finding, every incident, every audit result drives improvement. The RECON-BUILD-HARDEN-DRILL-COMMAND cycle repeats continuously. Each cycle raises the Posture Score.
Board reporting. The CISO reports to the board quarterly: what is our risk, what are we doing about it, is it working. The Posture Score provides the 30-second visual answer.
A realistic timeline for building a security program from scratch:
| Period | Phase | Key Milestones | |--------|-------|---------------| | Month 1 | Quick wins | MFA deployed, backups verified, endpoint protection deployed, email security configured, cyber insurance purchased | | Months 2-3 | Assessment | FRM or self-assessment complete, risk assessment produced, priorities established, budget proposed | | Months 3-6 | Build Phase 1 | Core policies written, IAT and DPS controls deployed, vulnerability management operational | | Months 6-9 | Build Phase 2 | SIEM deployed, SPH hardening complete, compliance program initiated, awareness training launched | | Months 9-12 | Test and refine | First pen test, first DR drill, first tabletop exercise, findings drive HARDEN cycle | | Month 12+ | Operate | COMMAND missions sustain operations, posture scores tracked, continuous improvement cycle running |
Twelve months from zero to functioning program. Not mature. Not complete. Functioning: assessed, prioritized, controlled, tested, and measured. Maturity comes from repeating the cycle over years 2, 3, and beyond.
Building a security program from scratch is the problem CDA was designed to solve. The PDM provides the architecture. The FRM provides the assessment. The TOP missions provide the execution plan. The Posture Score provides the measurement. The engagement tiers (Confidential $5,000/month, Secret $15,000/month, Top Secret $45,000/month) provide the operational capability scaled to the organization's needs.
An organization that engages CDA does not need to build the program alone. CDA runs the RECON (FRM), builds the controls (TOP missions across all six domains), tests the defense (DRILL missions), and operates in steady state (COMMAND missions). The organization receives a functioning security program built on a proprietary framework, operated by experienced professionals, and measured by a quantified Posture Score that demonstrates improvement over time.
An organization that builds without CDA can use CDA.Wiki as the reference. Every article in the wiki maps to a PDM domain, references specific controls, and provides the knowledge needed to build each component independently. The wiki is free. The knowledge is free. CDA.Wiki has over 900 articles covering every cybersecurity topic from encryption fundamentals to state-sponsored threat analysis. "CDA.Wiki has 1,168 articles. Every one is free."
The starting point is the same either way: assess first. The FRM is free. The CIS IG1 self-assessment is free. Start there. Everything else follows.
Word count: 2,047
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.