September 10, 2021

how can I start a cybersecurity department from scratch

I work as IT help-desk manager in a company of 500+ employee and 15000+ devices connected protected by a “single firewall”.

Unfortunately there’s a very old IT structure that haven’t developed any new roles since 15 years and I want to propose a role for IT security to the CEO.

How can I start/convince the management of the importance of such team and what are the roles that are most essential at this early beginning and that can be a foundation for future more advanced roles?



I’ve been building SOCs and security programs for a long time, and from first hand experience I can tell you that it’s a losing proposition pitch a security program to management for the purpose of making the company more secure. Management doesn’t give a shit about security.

However, management *does* care about money. They care a lot about money.

Your job, therefore, is to show management that NOT doing security is more expensive than doing security. It is then management’s job to decide how much risk they want to tolerate, knowing that it will cost them real dollars to respond to breaches, customer info disclosures, etc.

TLDR: you don’t sell security programs to management, you sell cost avoidance in the guise of security.


Take a look at how much it costs to remedy a company that was compromised.


I know it sounds contrary to the fact that Security is so vital it should be selling itself, but nothing galvanizes mgmt approval faster than a “compliance” requirement/mandate.

Find any regulatory requirements of your org /vertical and create a business case around that. If you finagle that, get someone from Sr mgmt to be designated as security champion, preferably someone well known and respected, so you can name drop and get things done.

If the org has a f/w who manages it? start with a dedicated f/w admin, then see the f/w current security posture and then take it from there gradually.


You most likely can’t convince management. What you can do is help the management recognize and understand the cyber risks and how those could impact the business owners negatively – So, Mr and Mrs business owner, if we get breached, and all that PII gets release onto the darkweb, how might that impact you personally? The data owners, those who will literally pay when the S hits the F, are the ones who will drive the decision. The manglers don’t have a horse in the race, figuratively speaking as it’ll just be another “issue” to deal with. A business this large should have some sort of risk management process. Cyber is just another business risk to be evaluated, managed and if the cost/benefits weigh out, mitigated. There may already be something documented that talks to this need – is the a BCP/DR Plan that has any timelines/expectations/requirements? Any Incident Response Plans? Any Business Impact Analysis that discuss service restoration timelines? Are there any recovery time expectations? The results that the business is looking for might be a good driver. For example – if the accounting department is down, what are the expectations for restoration of normal operations? If they say 12 or 24 hours, that equates to a pretty decent BCP/DR platform, tested regularly. small downtime windows also naturally lean towards more cyber capabilities in order to reduce the likelihood of an event interrupting the business for very long, if at all. I hope this makes sense.


What others have said, im sure you’ve security people say, “companies that dont care about security have not been hit yet.” This is very true. Ive also heard companies say, ‘we are too small to worry about security.’ Tell that to small rural police departments or small local business that have been hacked. An easy target, is the preferred target.

If management pushes back hard, at least try and have offsite backups, and test them frequently. You may need to play on the IR side if you can’t hire someone to improve your security posture.


Good luck!!!




A pen test should show them how vulnerable they are, and what can be lost when breached. Since it’s a one and done contract with a report, not an ongoing expense, it’s going to be an easier pill to swallow than new hires, policy, etc.

That should start the ball rolling.


If you start posting your company name online and how they don’t have a security team I’m sure it’ll be breached before too long and you’ll have no problem starting one with management approval.


Send me your password and I’ll show you.


Present case studies of similarly sized companies and the ransoms they’ve paid. The stories aren’t generally publicized but some get out. Municipalities and services have to be more forward with disclosure.


I would highlight that there is a lack of standard procedures for security practices and that generates inefficiencies, waste money and cause security issues. To counter that you need an information security team to create policies and Cybersecurity team to lead on the technical aspects.

Then, if you manage to create at least an information security team that reports to the board, the power grabbing politics should do the rest to extend the team further into more and more Cybersecurity aspects.

In my current company, the CISO was so good at this he even absorbed the legal and audit teams. Now the “Security and Governance” team is huge.


I am currently in the middle of this exact process at a company with 5000 people, if you wanna chat I’m down.


500+ employee company and you have no security… remind me to never go near your company for anything.

How do you manage compliance, privacy, how do you protect customer data if there isn’t anyone doing that job..


It seems a lot easier and more lucrative to just move on. There is so much opportunity out there.


Prioritisation of capabilities will depend on your company’s business model. That is to say consider how your company makes money, what are their revenue channels? What could impact those and stop the company from generating revenue? Or at least reduce revenue? Are there specific regulatory requirements that apply to your company? What implications would not being compliant have? Could your company lose its ability to trade?
An easy example for senior management might be to ask if a given revenue channel was not available for an hour, a day or a week how much would that cost the company? This should bring out some numbers to link it together – think cost/benefit.

Hopefully this will provide more food for thought around quantifying risk and thus prioritising capabilities leading to competencies required to deliver those capabilities. This will in turn help you formulate roles and finally recruit people to fill those roles.


Any regulations you are subject to ? Such as HIPAA ? GPDR ? etc…

What is your bosses title and have you asked them ? Do you have access to the board ?

Does accounting have audits ? If you are friends with accounting, go ask them if there were any computer items on the last audit, and get a copy, if possible. When in doubt, blame the auditor. :)

Do you have a password policy ?

It costs 10 times as much to clean up after a hack, than it does for IT to set it up properly in the first place.

Applying security to a company that has never had any, can be extremely difficult. I have tried to do this and ended up pulling my hair out. A “simple” password policy can bring howls of protests. Almost like you asked them to take a 50 % pay cut.

You may have to look for other work. PM me if you want more help.


Send everyone in the C-suite the [Last Week Tonight segment about Ransomware]( and tell them that prevention will be substantially cheaper than the alternatives, and that without preventative action it’s a case of when and not if.


Your set up sounds like a breach waiting to happen! I agree with what people are saying here, you need to do a cost benefit comparison and let management know just how f’d they’d be if there was a security breach. Not only from proprietary information and PII data loss but from the lawsuits that would likely follow.


You could start off with a managed security service provider:[](

They can get your network up to par while your staff gets built up to eventually accept the handoff to a fully private solution that can handle the most modern threats using modern equipment.

The hardest part is convincing management to spend the money and hiring a provider that does security makeovers will provide a lot of presentations, case studies, experience, and specialized guidance that will save a huge amount of money in transition efficiency alone.


As many people have said, showing people the cost of not being secure is a challenge. The scare tactics are a double edged sword. In my opinion, the only way to “sell” them on it is to get them to suggest it and explanation as to why.

Things like, bringing up in passing costs of a crypto attack, recent vulns on your hardware, etc. Unless they see IT as anything other than a money sink they wont want to buy in.

Regardless of their buy in, doing your due diligence start logging tickets and time spent on security patching and vulnerabilities. Most important thing, finding out what and where all of your valuables are. Most companies have no idea where all of their valuables are at.

There are many ways to start building a security practice with little to no cost to get things going to make sure that there is at least some visibility over what your company considers most valuable.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.