← Back to Blog
Governance2026-04-08· 12 min read

Building a Security Program from Scratch: A Practical 90-Day Plan

Week 1–2: Understand the Landscape

Before you write a single policy, you need to understand what you're protecting and who you're protecting it from. Start with three conversations:

  1. Executive leadership - What keeps them up at night? What are the regulatory obligations? What's the risk appetite?
  2. Engineering / IT - What does the infrastructure look like? Cloud? On-prem? Hybrid? What tools are already in place?
  3. Legal / Compliance - What frameworks or regulations apply? Are there contractual security requirements from customers?

These conversations give you the business context that no framework can provide. Document everything.

Week 3–4: Risk Assessment (Light Version)

You don't need a full-blown risk assessment in Month 1. You need a prioritized list of what could hurt the organization most. Focus on:

  • Crown jewels - What data, systems, or processes would cause the most damage if compromised?
  • Known gaps - What's obviously missing? No MFA? No endpoint protection? No incident response plan?
  • Regulatory exposure - Are there compliance deadlines approaching?

Create a simple risk register with columns: Risk, Likelihood, Impact, Current Controls, Priority. This becomes your roadmap.

Week 5–8: Quick Wins

Deploy the controls that provide the highest risk reduction with the lowest friction:

  • MFA everywhere - Start with email, cloud admin, and VPN
  • Endpoint protection - Deploy EDR if not already in place
  • Access review - Audit who has admin access to what
  • Backup verification - Confirm backups exist and test a restore
  • Acceptable Use Policy - One page, plain language, get it signed

Week 9–12: Foundation Building

Now you can start the longer-term work:

  • Security policies - Start with the core five: Information Security, Acceptable Use, Data Classification, Incident Response, Access Control
  • Incident response plan - Even a basic one-pager is better than nothing
  • Vendor security questionnaire - For new vendor onboarding
  • Security awareness - A short kickoff session, not a boring CBT module

Common Mistakes to Avoid

  • Don't start with a framework - Start with risks. Frameworks are tools, not strategies.
  • Don't buy tools before understanding problems - Technology is the last step, not the first.
  • Don't work in isolation - Security is a business function. Build relationships with every department.
  • Don't aim for perfect - Aim for measurably better than yesterday.

The goal of the first 90 days isn't a perfect security program. It's a credible foundation that demonstrates competence, earns trust, and creates a roadmap everyone can follow.