Taking Your First Steps

A journey of a thousand miles begins with a single (baby) step.

I still remember the first few times I watched my daughter crawling around on the carpet, zooming from one toy to the next.  Josie knew she was fastest on all fours even after she understood how to walk, growing frustrated with us when we encouraged her to take steps.  After a few struggles, we decided to change our approach.  I remember making the simple decision to start putting the things she wanted on the coffee table, just within arms reach as she stood.  Standing became walking, which turned into running, and her days of scooting around on her hands and knees were over.

Sometimes, we need a bit of help understanding a better way.  Like many organizations, Josie needed a catalyst for change – things being moved off the floor.  Most organizations understand cybersecurity creates risk for their business, but many need a catalyst before they begin planning for cybersecurity. Usually, that means they’ve had a costly cybersecurity incident. But that doesn’t have to be your story – you can start planning today.

In this article, we’ll explore the question of where a cybersecurity program begins.  The first step is determining the overall strategy your organization will follow.  For the sake of understanding, we’re going to lump the first decision into two options:

1.       Build a DIY cybersecurity program.

2.       Work with a cybersecurity partner to build the program around you.

It might be helpful to think about the problem this way:

1.       Hidden costs with a longer window of exposure.

2.       Anew fixed expense with a rapid time to value.

Building Your Own Program

One of the biggest hurdles facing business owners who attempt to build their own cybersecurity program is that the security community doesn’t make it easy to get started.  We have an impenetrable wall of jargon, often speaking a completely different language. It’s a challenge that you absolutely can beat!  But you need to set your expectations appropriately: you’ll be gluing your eyes to your monitor for months while your understanding builds.  More importantly, you’ll need to accept the risk that if a cybersecurity incident takes place in your organization before your program reaches maturity, there’s about a 65% chance the cost will dramatically change the course of business.

With all these costs and losses from a cybersecurity breach, small businesses are less likely than large businesses to be able to even bounce back at all. The Better Business Bureau (BBB) estimates that only35% of small businesses could continue to be profitable for three months or longer if they permanently lost data through a cybersecurity breach. 

From https://www.forbes.com/sites/theyec/2019/09/18/the-state-of-cybersecurity-pertaining-to-small-business/#27ac4ede31a0

If you’re serious about taking the DIY approach, take a look at our list of do’s and don’t for DIY!

Working with a Cybersecurity Partner

Choosing the right cybersecurity firm can be just as tricky as building your own program.  Like fingerprints, no two businesses are exactly alike, which makes it exceedingly difficult to find a one-size-fits-all cybersecurity solution.  Think of it this way: Imagine an insurance agent is working to determine if they have a policy that can help you.  The agent has the best and most affordable boat insurance policies around, and you decide to pull the trigger after a lengthy conversation.  On the ride home, it occurs to you: You don’t own a boat.

Stay away from providers who begin selling their solution before they understand how your business operates.  


One of your cybersecurity partner’s goals should be to take the variable costs associated with cyber risk and convert them into an easy and predictable fixed cost. Without understanding how your business converts opportunity into value, it’s just boat insurance.