How to create a cybersecurity program?

The Security, Compliance & Resilience Management System (SCRMS) is a “how to build a cybersecurity program” playbook. The SCRMS is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. The SCRMS is designed to:

• Address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
• Focus on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.

To assist in this process, SCRMS helps an organization categorize its applicable controls according to “must have” vs “nice to have” requirements:

• Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
• Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.

The SCRMS provides 9 steps to create and maintain a cybersecurity program:

• Establish Context;
• Identify Applicable Controls;
• Define Maturity Expectations;
• Publish Governance Documentation;
• Assign Stakeholder Accountability;
• Prioritize Capabilities According To Risk;
• Maintain Situational Awareness;
• Manage Risk; and
• Evolve Processes.

This structure ensures your cybersecurity program is not just a siloed checklist, but a dynamic risk-management ecosystem integrated with overarching corporate strategy.