If I came into a company today with no real cybersecurity, I would start with these six things.
Not by buying tools.
Not by starting with an audit.
I would start with the foundation that many companies are missing.
1. Who is responsible for security as a whole
Not IT.
A concrete person.
Someone has to own cybersecurity as a management responsibility, not only as a technical activity.
IT can operate systems and tools, but the organization needs one clear owner for security as a whole.
Without ownership, every problem becomes someone else’s problem.
2. How an incident is handled from beginning to end
Not a document that nobody uses.
A real procedure.
The company should know what happens from the first signal to the final lessons learned:
- who is informed,
- who investigates,
- who decides,
- who communicates,
- who documents,
- who confirms recovery.
A procedure that exists only as a file is not preparedness.
A procedure that people can actually follow is.
3. Who has decision authority
Who can stop a system?
Who can isolate infrastructure?
Who communicates externally?
Who accepts business impact?
These decisions cannot be invented during an incident. They have to be clear before pressure arrives.
If nobody knows who has the final word, the company will lose time exactly when time is most expensive.
4. What we are actually protecting
Security has no meaning without knowing what matters.
Which information is critical?
Which systems are essential?
Which processes must continue?
Which data would create the biggest legal, operational or reputational impact if exposed, lost or manipulated?
Without defining key information and key assets, security becomes a collection of activities without direction.
5. How quickly we can react
The real question is not only whether the company has tools.
The real question is:
What will we do in the first 30 minutes?
Can we detect the problem?
Can we understand the impact?
Can we make a decision?
Can we communicate internally?
Can we stop the damage from spreading?
Speed does not come from panic. It comes from preparation.
6. How the whole thing is managed
Without management, cybersecurity is only a set of activities.
Someone installs something.
Someone writes something.
Someone checks something.
But nobody knows whether the system as a whole is working.
Cybersecurity needs governance:
- ownership,
- priorities,
- evidence,
- regular review,
- improvement,
- accountability.
That is how security becomes controlled.
The real difference
This is not theory.
This is the difference between a company that has “security” and a company that has security under control.
The hard truth is simple:
Most organizations do not start badly.
They just start in the wrong place.
They start with tools before responsibility.
With documents before decisions.
With audits before operational reality.
The better starting point is control.
So the question is:
Which of these six points does your company truly have solved?