person working on a laptop

The Journey: Building a Cyber Security Program

The Journey: Building a Cyber Security Program

3 Minute Read

From introduction to maturity, MNP’s Jason Murray outlines each stage in building an effective cyber security program.

Creating a robust cyber security program is a long-term, multi-stage process which continues through the lifecycle of the organization. The goal of which is continuous progress through intersecting dimensions of risk and maturity to make the program as secure as it needs to be to protect against the most prescient threats, but no more. Security for the sake of security is not the goal.

While the temptation to find the ever-elusive switch that takes the business from insecure to completely secure will always be there, understand this destination is an illusion. It doesn’t exist.

In fact, like business itself, the cyber security journey doesn’t have a defined destination at all. It is simply a matter of learning, testing, implementing, adapting and growing along the way.

Stage One: A Random Bunch of Stuff

Most organizations will begin their cyber security journey with at least a handful of controls already in place.

However, this is usually an uncoordinated smattering of outdated and generic stop-gaps – firewalls, antivirus software, intrusion detection systems – which lack a cohesive or overarching strategy.

While it can initially feel discouraging to realize how early one is on the road to maturity, it is also remarkably freeing to see there’s a structured and cohesive road ahead.

From stage one, the business can plot the most reasonable path forward.

Stage Two: Compliance

A common first step forward occurs when an organization needs to become compliant with a specific cyber security framework. This could be self-imposed or externally mandated.

Compliance offers a clear entry point to build momentum – especially because in most instances the compliance body mandates the required controls and documentation.

This will deliver an immediate boost to the program’s risk management and overall maturity.

Stage Three: Early Cyber Program

An added benefit to the compliance stage is the need to complete annual risk assessments – which, if embraced, can support the continued growth and improvement of the organization’s cyber security program.

Risks define the critical objectives, which inform the strategies and tactics needed to mature. With these insights in-hand, the individuals in charge of the cyber security program have a robust picture of where improvements are required and how to implement them.

Stage Four: Mature Cyber Program

Thinking back to the hierarchy of cyber security needs, the final stage represents cyber self-actualization – the ideal state for any organization.

This continual cycle of planning, executing, checking, acting that drives along a path of constant improvement provides organizations with the sophistication, adaptability and agility to keep pace with a constantly evolving business and threat landscape.

Tomorrow’s technology is shaping business today. To learn more about how MNP can help you build an effective cyber security strategy, contact Jason Murray at 647.333.6241 or [email protected]


  • Agility

    What are the barriers to net-zero for Canada’s energy and utilities companies?

    Is net-zero electricity achievable by 2035? Explore the current state of the sector and the challenges and opportunities on the path toward renewable energy.

  • Performance

    September 18, 2023

    Tax Alert: Enhanced GST Rental Rebate

    Learn more about the Enhanced GST Rental Rebate that will relieve 100 percent of GST on specified residential rental construction projects.

  • Confidence

    Untangling money laundering regulations for Canadian real estate

    In an industry that has historically been attractive for criminals and money laundering activity, those in the Canadian real estate market have a responsibility of due diligence to keep themselves and their business safe. While it may seem like a daunting task to ensure your business isn’t being used for criminal activity, federal guidelines exist to ensure compliance and vigilance within real estate.