6 Steps to Build a Cost-Effective Information Security Program

Bryan Schader, Principal, Cybersecurity Consulting Services
Trevor Lapointe, Senior Manager, Cybersecurity Consulting Services

August 24, 2021 | Updated February 18, 2026
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
Cost-Effective Information Security Program Thumbnail

It’s difficult for organizations of all sizes to navigate information security risks and establish strong programs to address those risks.

Organizations also often fear that establishing an information security program will be costly and time-consuming.

However, many organizations recognize that a cyber incident is inevitable, and that investing in prevention is more effective than simply reacting after an event occurs.

Cost-Effective Security

A practical approach is to build a cost-effective information security program using readily available tools and tailored to the threats specific to your organization.

What was once an effective breach technique could morph into a new strain of malware or another technique that wasn’t anticipated or even previously known, which still leaves you vulnerable.

What Is an Information Security Program?

An information security program is the set of processes and mechanisms, including procedural, technical, administrative, and physical safeguards designed to protect the security and functionality of your organization from potential hazards and unauthorized access to its data.

What Are the Recommended Practices for Monitoring and Protecting Critical Business Resources?

Organizations often invest significant effort and resources into protecting assets that aren’t truly critical.

A risk-based approach focuses on identifying which resources—data, systems, and processes—are critical and applying controls proportional to their importance.

Key Areas

  • Identification and management. Identify critical resources including processes that support the organization’s strategic advantage.
  • Layered protection. Implement access controls, encryption, firewalls, access control lists (ACLs), whitelisting, and network monitoring technologies.
  • Continuous monitoring. Monitor critical resources using security logs to detect threats early.
  • Proactive vulnerability management. Regularly identify and remediate vulnerabilities and monitor for malware in real time.
  • Third-party oversight. Perform due diligence on vendors and partners that handle your sensitive data, and monitor threat intel feeds for any potential issues with systems managed by external parties.
  • Employee training. Provide education on security risks and best practices to staff who handle high-risk resources or have escalated privileges.

What Is a Risk-Based Approach to Security Compliance?

When an IT breach makes headlines, the first response for many businesses is to identify the source of the breach and rush to make sure that particular breach can’t happen to them.

However, this often leads to an ongoing game of whack-a-mole because threat actors continually evolve their techniques, tactics, and processes.

What was once an effective breach technique could morph into a new strain of malware or another technique that wasn’t anticipated or even previously known, which still leaves you vulnerable.

When your organization takes a more risk-based approach to security compliance, it anticipates and projects problems that might occur to prepare its potential responses and solutions ahead of time.

Performing regular assessments, such as a rapid assessment, could take the pulse of the current information security program and identify security gaps that prevent breaches instead of reacting to them.

Consider the possible objectives of an advanced persistent threat, a formidable threat actor, available attack vectors, and resources available for preventing a security breach.

Build Your Information Security Program in Six Steps

There are six steps to implement this type of strategy:

  1. Identify your assets and rank them according to their criticality
  2. Identify and prioritize risks
  3. Implement foundational information security controls
  4. Identify any residual risk remaining and determine if further controls are required
  5. Monitor, test, and improve on controls in an iterative approach to continue to mature the program and manage relevant risks
  6. Establish executive support and organizational engagement around the program

Once you implement these steps, they could help keep risk at an acceptable level, so key stakeholders can respond quickly and appropriately to future threats.

1. Identify Assets

First, take stock of the resources you have, then assess their value and threats that may impact them.

To build an effective risk-based program, you must first understand your assets, including their:

  • Type. Application, data, hardware, AI
  • Location. Cloud, on-premises, transitory
  • Value. Monetary value, intellectual property, trade secrets
  • Access rights. Logical, physical, privileged
  • Purpose. Supports a specific process
  • Threats likely to materialize. Availability, integrity, confidentiality
  • Criticality. Supports key strategic functions, and critical or sensitive data

A surprising number of organizations don’t know what crown jewels or critical resources they have.

For example, if your organization uses a third-party vendor as part of its IT ecosystem, and most organizations do, your critical data could be replicated and backed up in multiple places unknown to you.

2. Identify and Prioritize Risks

Identifying risk encompasses an examination of the people, processes, and systems with which your organization interacts.

Consider the possible objectives of an advanced persistent threat, a formidable threat actor, available attack vectors, and resources available for preventing a security breach. It’s also helpful to look ahead at emerging threats.

Also consider risks that may not originate from external threat actors such as unforced human error, data exposure caused by email or generative AI tools, and risk inherited through third-party services such as SaaS solutions.

3. Implement Foundational Information Security Controls

After you identify risks, you can implement the foundational security controls and processes mentioned above. These should be operational and tested on a regular basis regardless of business size or complexity.

Your testing schedule will depend on several factors including your business model, information architecture, and risk exposure.

To help you implement effective foundational controls, consider the following essential practices:

  • Ensure security is integrated with the culture of the organization from the top down
  • Inventory and assign ownership of organizational resources (physical, virtual, and data)
  • Implement strong access controls based on job function and need-to-know principles (implement multifactor authentication wherever possible)
  • Protect data at rest and in transit with strong cryptographic controls
  • Identify, track, and resolve threats through vulnerability, patch, and malware management programs
  • Monitor key ingress and egress points into the environment and correlate event information in a centralized repository for timely review and response
  • Implement and regularly test an incident response program capable of detecting, responding to, recovering from, and mitigating security incidents
  • Regularly train employees to detect and respond appropriately to security threats such as phishing and credential security
  • Identify, monitor, and manage third-party and supplier relationships and risk

4. Identify Residual Risk

Foundational security controls will not be able to reduce risk to a perfect zero. Residual risk is the risk that remains after a control has been implemented. Residual risk may remain in either the likelihood or the potential impact of an attack. It’s important to identify those risks and implement any additional controls that don’t unduly burden the organization and its risk tolerance.

Additional controls may include:

  • More restricted or monitored processes that alert on anomalous activity
  • Greater segmentation between critical resources and non-critical resources to reduce the impact and likelihood of common attacks
  • Reporting of risks to executive and board leadership to help share the load of residual risk
  • Insurance to help shift the remaining impact over to an insurer

5. Monitor, Test, and Improve Implemented Controls

A common pitfall is implementing controls and not revisiting them.

Controls need to be regularly tested and assessed to ensure they still meet the requirements of a changing threat landscape, and no new residual risk has been injected into the environment.

Improvements to controls could involve process changes, incorporating new or updated technology into the organization, or additional staffing. These improvement efforts become the basis for new roadmap projects.

Costs, timelines, and staffing needs are identified for each project, along with estimated risk reduction values. Depending on the information security maturity of the business, the projects can be foundational, advanced, administrative, or technical in nature.

6. Establish Executive Support and Organizational Engagement

It’s the responsibility of information security leadership to clearly articulate the value of funding these programs and their potential impact to executive leadership.

One of leadership’s most important tasks is to secure appropriate funding and resources, which can be a daunting obstacle, especially if there’s a trend within the organization towards a higher-than-average risk tolerance.

However, information security should be an active boardroom topic.

If it’s not, find a supporter or executive sponsor for the information security program. Inform this sponsor about information security, what the program aims to achieve, and the expectations of executive leaders so they can support security initiatives.

Quantifying risk in terms of dollars spent versus dollars lost is an effective way to get the attention and support of executive leadership.

Understanding what assets you have, identifying which risks matter most, and implementing basic controls help ensure you protect the right things first.

Continuously checking and improving those controls, addressing any leftover risks, and keeping leadership involved helps security become an ongoing, shared responsibility.

We’re Here to Help

To learn more about how you can protect your organization with a cost-effective information security program, contact your firm professional.

Additional Resources

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Article
How to Use Cybersecurity Risk Assessments
Reduce cyber risk and elevate your organization’s security program with tailored cybersecurity risk assessments.
Article
Article
Keep Cybersecurity Plans Operational
New Federal Communications Commission (FCC) rules impact Enhanced Alternative Connect America Cost Model (E-ACAM) recipients.
Article
Article
SEC Cybersecurity Requirements Impact IPO Process
Position your organization’s cybersecurity framework for IPO success with insights into the SEC’s cybersecurity disclosure rules.
Article
Article
Perform a Comprehensive IT Risk Assessment
Don’t rely on a check-the-box strategy to mitigate threats and vulnerabilities. Bolster existing compliance programs.
Article
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Baker Tilly Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.