Building Enterprise Cybersecurity From Scratch: The Spiral Approach

Start security programs with prioritization and simplicity using a spiral lifecycle: pick one critical asset, understand its risk tolerance, identify top threats and vulnerabilities, implement solutions, document everything, and repeat. Success depends on people skills first, then process, then technology—and securing executive buy-in through trusted intermediaries like legal counsel and CFO.

The Spiral Lifecycle: Starting Small, Scaling Fast

Prioritization and Simplicity Over Boiling the Ocean

Most security frameworks (NIST, ISO, ISC²) prescribe building a gigantic program over five years with huge budgets, which overwhelms organizations. Instead, use prioritization and simplicity: pick one critical data asset or business process, secure it completely with documentation and testing, then repeat the process spiraling outward. This yields 80% security coverage of critical processes within one year using only 20% of the effort compared to traditional approaches.

Break Down Risk Tolerance Into Bite-Sized Pieces

Asking executives for organization-wide risk tolerance is overwhelming and builds distrust. Instead, focus on one specific business process and ask: 'What is your risk tolerance for this one process?' This produces actionable answers. Once you understand that, identify the two to three biggest threats to that process (e.g., ransomware, data theft, third-party liability), then the vulnerabilities that enable those threats.

Real Example: Ransomware and Backup Redundancy

For a critical business process, the biggest threat might be ransomware encryption. The vulnerability: no real-time backups or failover redundancy. The solution: build redundancy and failover so if the primary server is compromised, recovery is possible without paying ransom. Document procedures, test recovery, write incident response plan, conduct tabletop exercise, then monitor. Within weeks, that process is secured and documented.

Executive Alignment: Building Credibility Without the Hero Complex

Start With Legal Counsel and CFO, Not the CEO

New security leaders lack credibility with the CEO. Instead, build a coalition: start with the Chief Legal Counsel (responsible for legal risk) and CFO (responsible for financial risk). Together, they represent 40–50% of executive influence and already have the CEO's ear. Have them present the risk analysis and recommendation to the board with you present but not leading. This bypasses the credibility gap and gets decisions made quickly.

Check Your Ego: Don't Be the Hero Early

New security leaders often try to present directly to the board and take credit, which fails because they lack established relationships and credibility. Instead, let trusted executives (legal, finance) present while you support. You won't get credit initially, but in 6–9 months once the program is proven, you'll be invited to board meetings as the recognized expert. Trying to be the hero from day one undermines the entire effort.

Soft Skills and Leadership: The C-Suite Requirement

Technical Brilliance Is Not Enough; Communication Mastery Is Essential

Most CISOs come from technical backgrounds and are introverts who struggle with non-technical audiences. However, a C-level title requires being a people person, extrovert, and master communicator. This is a learnable skill, not an innate trait. Even naturally introverted people can master extrovert skills through deliberate practice—though it may be more draining. The key: get comfortable being uncomfortable and practice relentlessly.

Translate Security Into Business Language: Revenue, Profit, Loss

CEOs and COOs only care about revenue, profit, and minimizing losses. Saying 'ransomware could encrypt our systems' means nothing to them. Instead, say: 'Our patient data system has an 85% probability of becoming inaccessible to doctors and patients, costing us $8 million minimum. I recommend spending $500K to fix it. Is that within your risk tolerance?' Now you're speaking their language and they engage. Give them numbers and let them modify the risk parameters.

Do You Want to Be Right or Do You Want to Win?

Technical people often prioritize being correct over achieving the goal. In executive communication, winning the decision is more important than proving your point. Start with common ground, build agreement incrementally, and guide them to your conclusion rather than forcing it. This requires emotional intelligence and patience.

People, Process, Technology: The Correct Priority Order

Reverse the Typical Priority: People First, Then Process, Then Technology

Most organizations prioritize technology first, then process, then people—which fails. The correct order is people (communication, buy-in, skills), then process (documented, repeatable workflows), then technology (tools to support the process). If people aren't on board, they won't follow policies. If there's no process, it's not repeatable and drains IT resources. If process is missing, technology becomes abandoned.

Why Security Policies Fail: The Technology-First Trap

Organizations implement security policies (e.g., 'don't click suspicious links') without building people buy-in or documented processes. Result: people ignore the policy because they don't understand why or how to follow it consistently. AWS's 12-hour outage in 2023 was caused by a configuration error—the people and technology were world-class, but the process (verification, validation, tabletop exercises) was missing. Process failures, not technology failures, cause breaches.

First Hire: Program Manager, Not a Technical Person

When building a security program from scratch, the first hire should be a program manager or technical writer, not a security engineer. You need someone to document every process, policy, and procedure with schedules and workflows. This enables replication and scaling. Technical skills come later; documentation and process discipline come first.

Upskilling and AI: Building the Right Team

Hire People Smarter Than You; Don't Fear Replacement

Technical leaders often hire people less capable than themselves out of fear of replacement. Instead, hire people smarter, faster, and better. You won't be replaced because high-level problem-solving, explaining complex topics, and strategic thinking are your strengths—not the junior person's. This builds a stronger team and accelerates progress.

AI Won't Replace Security Leaders; It Replaces Low-Level Repetitive Work

AI only works on documented, consistent, repetitive processes that don't require original thought. When building a security program from scratch, you need high-level thinking and creativity—AI cannot do this. Don't deploy AI agents for at least a year or two. Once the program is mature and processes are standardized, AI can automate low-level tasks. AI replaces junior staff doing repetitive work, not senior strategists.

Upskilling Is Non-Negotiable; Modern Tools Without Skills Are Worthless

Organizations invest in EDR, MDR, XDR, AI, and ML tools but lack the skills to use them effectively. Without upskilling the team, modern technology delivers no value. Invest in training and development before or alongside tool deployment. Skills enable technology; technology without skills is wasted budget.

Core Security Program Components: The Mandatory Checklist

Seven Essential Components of a Security Program

A complete security program includes: (1) Data classification—identify and prioritize critical data; (2) Risk assessment—determine threats with highest likelihood and vulnerabilities with biggest impact; (3) Countermeasures—select fast, cheap, effective solutions to remediate risk; (4) Contingency/disaster recovery plan—ensure business continuity if primary systems fail; (5) Incident response plan—procedures for responding to incidents; (6) Tabletop exercise—train team and validate the plan works; (7) Maintenance and operations—run it as an ongoing operation, then repeat for the next asset.

Tight Budget: The Minimum Viable Approach

You Can't Do Security for Free; Show Value With Small Investments First

If a company has no budget for security, they're not ready. However, if budget is tight, start with a small engagement ($5K) to identify the top two risks with likelihood, impact, and cost to fix. Show them the financial case. Once they see the value, they'll approve the first fix ($100K). After that succeeds and saves money, they'll fund the next fix ($250K). By year-end, they've spent $1M+ but did it piecemeal and saw value at each step.

The Restaurant Analogy: Security Requires Investment

If you walk into a nice restaurant with no money and ask for a free meal, they'll ask you to leave. Similarly, if a company won't invest in security, they're not serious about risk. Don't waste time on organizations that claim to have critical data but won't pay. Security is not free, and organizations that won't invest aren't ready.

Notable quotes

My rules that I always teach are prioritization and simplicity. — Dr. Eric Cole
Do you want to be right or do you want to win? — Dr. Eric Cole
People, process, technology—in that prioritized order. You got to get the people skills down first. — Dr. Eric Cole

Action items

  • Identify your organization's single most critical data asset or business process and start there, not with enterprise-wide security.
  • Map the top 2–3 threats to that asset and the vulnerabilities that enable them; ignore the long tail of low-probability risks.
  • Build a coalition with Chief Legal Counsel and CFO before approaching the CEO; have them present the risk and recommendation to the board.
  • Translate security risks into financial language: probability, cost of breach, cost to fix. Frame it as a business decision, not a technical one.
  • Hire a program manager or technical writer as your first security hire to document processes, not a technical engineer.
  • Document every process, procedure, and policy so the model can be replicated and scaled to the next asset.
  • Run a tabletop exercise and incident response drill to validate your plan before declaring the asset secure.
  • Invest in upskilling your team before deploying new tools (EDR, MDR, XDR, AI); tools without skills deliver no value.
  • For tight budgets, start with a small risk assessment ($5K) to identify the top two risks and their financial impact, then use that to justify larger fixes incrementally.
Prabh Nair
32 min video
3 min read
Building Enterprise Cybersecurity From Scratch: The Spiral Approach
You just saved 29 min.
The big takeaway
Start security programs with prioritization and simplicity using a spiral lifecycle: pick one critical asset, understand its risk tolerance, identify top threats and vulnerabilities, implement solutions, document everything, and repeat. Success depends on people skills first, then process, then technology—and securing executive buy-in through trusted intermediaries like legal counsel and CFO.
The Spiral Lifecycle: Starting Small, Scaling Fast
Prioritization and Simplicity Over Boiling the Ocean
Most security frameworks (NIST, ISO, ISC²) prescribe building a gigantic program over five years with huge budgets, which overwhelms organizations. Instead, use prioritization and simplicity: pick one critical data asset or business process, secure it completely with documentation and testing, then repeat the process spiraling outward. This yields 80% security coverage of critical processes within one year using only 20% of the effort compared to traditional approaches.
Traditional NIST Approach (1 year)
Risk tolerance defined, threats identified, vulnerabilities listed—nothing fixed
Spiral Lifecycle (1 year)
80% of critical processes secured with documentation, incident response plans, and tested recovery procedures
Spiral lifecycle delivers measurable security wins; traditional frameworks deliver planning without remediation.
Break Down Risk Tolerance Into Bite-Sized Pieces
Asking executives for organization-wide risk tolerance is overwhelming and builds distrust. Instead, focus on one specific business process and ask: 'What is your risk tolerance for this one process?' This produces actionable answers. Once you understand that, identify the two to three biggest threats to that process (e.g., ransomware, data theft, third-party liability), then the vulnerabilities that enable those threats.
Real Example: Ransomware and Backup Redundancy
For a critical business process, the biggest threat might be ransomware encryption. The vulnerability: no real-time backups or failover redundancy. The solution: build redundancy and failover so if the primary server is compromised, recovery is possible without paying ransom. Document procedures, test recovery, write incident response plan, conduct tabletop exercise, then monitor. Within weeks, that process is secured and documented.
20–25%
Security increase from securing one critical asset with documentation and recovery plan
One secured asset with full documentation and testing yields measurable security improvement.
Executive Alignment: Building Credibility Without the Hero Complex
Start With Legal Counsel and CFO, Not the CEO
New security leaders lack credibility with the CEO. Instead, build a coalition: start with the Chief Legal Counsel (responsible for legal risk) and CFO (responsible for financial risk). Together, they represent 40–50% of executive influence and already have the CEO's ear. Have them present the risk analysis and recommendation to the board with you present but not leading. This bypasses the credibility gap and gets decisions made quickly.
1
Chief Legal Counsel
Owns legal and compliance risk
2
CFO
Owns financial impact and budget
3
CEO/COO/Board
Final decision-maker (reached via above two)
Build coalition with legal and finance first; they have existing board relationships.
Check Your Ego: Don't Be the Hero Early
New security leaders often try to present directly to the board and take credit, which fails because they lack established relationships and credibility. Instead, let trusted executives (legal, finance) present while you support. You won't get credit initially, but in 6–9 months once the program is proven, you'll be invited to board meetings as the recognized expert. Trying to be the hero from day one undermines the entire effort.
Soft Skills and Leadership: The C-Suite Requirement
Technical Brilliance Is Not Enough; Communication Mastery Is Essential
Most CISOs come from technical backgrounds and are introverts who struggle with non-technical audiences. However, a C-level title requires being a people person, extrovert, and master communicator. This is a learnable skill, not an innate trait. Even naturally introverted people can master extrovert skills through deliberate practice—though it may be more draining. The key: get comfortable being uncomfortable and practice relentlessly.
Technical skill
95 %
Communication skill
20 %
Required for C-suite
50 %
Most CISOs excel technically but lack communication skills needed for executive role.
Translate Security Into Business Language: Revenue, Profit, Loss
CEOs and COOs only care about revenue, profit, and minimizing losses. Saying 'ransomware could encrypt our systems' means nothing to them. Instead, say: 'Our patient data system has an 85% probability of becoming inaccessible to doctors and patients, costing us $8 million minimum. I recommend spending $500K to fix it. Is that within your risk tolerance?' Now you're speaking their language and they engage. Give them numbers and let them modify the risk parameters.
85%
Probability of patient data system outage; $8M cost; $500K fix recommended
Frame security in financial terms: probability, cost, and investment required.
Do You Want to Be Right or Do You Want to Win?
Technical people often prioritize being correct over achieving the goal. In executive communication, winning the decision is more important than proving your point. Start with common ground, build agreement incrementally, and guide them to your conclusion rather than forcing it. This requires emotional intelligence and patience.
People, Process, Technology: The Correct Priority Order
Reverse the Typical Priority: People First, Then Process, Then Technology
Most organizations prioritize technology first, then process, then people—which fails. The correct order is people (communication, buy-in, skills), then process (documented, repeatable workflows), then technology (tools to support the process). If people aren't on board, they won't follow policies. If there's no process, it's not repeatable and drains IT resources. If process is missing, technology becomes abandoned.
1
People
Communication, buy-in, skills
2
Process
Documented, repeatable workflows
3
Technology
Tools supporting the process
Correct priority order for sustainable security programs.
Why Security Policies Fail: The Technology-First Trap
Organizations implement security policies (e.g., 'don't click suspicious links') without building people buy-in or documented processes. Result: people ignore the policy because they don't understand why or how to follow it consistently. AWS's 12-hour outage in 2023 was caused by a configuration error—the people and technology were world-class, but the process (verification, validation, tabletop exercises) was missing. Process failures, not technology failures, cause breaches.
First Hire: Program Manager, Not a Technical Person
When building a security program from scratch, the first hire should be a program manager or technical writer, not a security engineer. You need someone to document every process, policy, and procedure with schedules and workflows. This enables replication and scaling. Technical skills come later; documentation and process discipline come first.
Upskilling and AI: Building the Right Team
Hire People Smarter Than You; Don't Fear Replacement
Technical leaders often hire people less capable than themselves out of fear of replacement. Instead, hire people smarter, faster, and better. You won't be replaced because high-level problem-solving, explaining complex topics, and strategic thinking are your strengths—not the junior person's. This builds a stronger team and accelerates progress.
AI Won't Replace Security Leaders; It Replaces Low-Level Repetitive Work
AI only works on documented, consistent, repetitive processes that don't require original thought. When building a security program from scratch, you need high-level thinking and creativity—AI cannot do this. Don't deploy AI agents for at least a year or two. Once the program is mature and processes are standardized, AI can automate low-level tasks. AI replaces junior staff doing repetitive work, not senior strategists.
Upskilling Is Non-Negotiable; Modern Tools Without Skills Are Worthless
Organizations invest in EDR, MDR, XDR, AI, and ML tools but lack the skills to use them effectively. Without upskilling the team, modern technology delivers no value. Invest in training and development before or alongside tool deployment. Skills enable technology; technology without skills is wasted budget.
Core Security Program Components: The Mandatory Checklist
Seven Essential Components of a Security Program
A complete security program includes: (1) Data classification—identify and prioritize critical data; (2) Risk assessment—determine threats with highest likelihood and vulnerabilities with biggest impact; (3) Countermeasures—select fast, cheap, effective solutions to remediate risk; (4) Contingency/disaster recovery plan—ensure business continuity if primary systems fail; (5) Incident response plan—procedures for responding to incidents; (6) Tabletop exercise—train team and validate the plan works; (7) Maintenance and operations—run it as an ongoing operation, then repeat for the next asset.
Tight Budget: The Minimum Viable Approach
You Can't Do Security for Free; Show Value With Small Investments First
If a company has no budget for security, they're not ready. However, if budget is tight, start with a small engagement ($5K) to identify the top two risks with likelihood, impact, and cost to fix. Show them the financial case. Once they see the value, they'll approve the first fix ($100K). After that succeeds and saves money, they'll fund the next fix ($250K). By year-end, they've spent $1M+ but did it piecemeal and saw value at each step.
Month 1
Risk assessment: $5K
Month 3
Fix #1: $100K (shows ROI)
Month 6
Fix #2: $250K (builds confidence)
Month 12
Total investment: ~$1M with demonstrated value
Piecemeal approach: start small, show value, scale incrementally.
The Restaurant Analogy: Security Requires Investment
If you walk into a nice restaurant with no money and ask for a free meal, they'll ask you to leave. Similarly, if a company won't invest in security, they're not serious about risk. Don't waste time on organizations that claim to have critical data but won't pay. Security is not free, and organizations that won't invest aren't ready.
Worth quoting
"My rules that I always teach are prioritization and simplicity."
— Dr. Eric Cole, at [3:35]
"Do you want to be right or do you want to win?"
— Dr. Eric Cole, at [15:26]
"People, process, technology—in that prioritized order. You got to get the people skills down first."
— Dr. Eric Cole, at [18:33]
Try this
Identify your organization's single most critical data asset or business process and start there, not with enterprise-wide security.
Map the top 2–3 threats to that asset and the vulnerabilities that enable them; ignore the long tail of low-probability risks.
Build a coalition with Chief Legal Counsel and CFO before approaching the CEO; have them present the risk and recommendation to the board.
Translate security risks into financial language: probability, cost of breach, cost to fix. Frame it as a business decision, not a technical one.
Hire a program manager or technical writer as your first security hire to document processes, not a technical engineer.
Document every process, procedure, and policy so the model can be replicated and scaled to the next asset.
Run a tabletop exercise and incident response drill to validate your plan before declaring the asset secure.
Invest in upskilling your team before deploying new tools (EDR, MDR, XDR, AI); tools without skills deliver no value.
For tight budgets, start with a small risk assessment ($5K) to identify the top two risks and their financial impact, then use that to justify larger fixes incrementally.
Made with Glimpse by Wozart
glimpse.wozart.com/v/wp8kschf
Share this infographic

More like this