Most small and medium businesses know they need better cybersecurity. The challenge isn't awareness — it's knowing where to start, what to prioritise, and how to make progress without a dedicated security team or an enterprise budget.
This guide provides a practical 90-day roadmap to build a foundational cybersecurity program for your SME — one that's defensible, scalable, and doesn't require a CISO to implement.
What Is a Cybersecurity Program?
A cybersecurity program is the organised set of policies, processes, controls, and governance structures that collectively protect your organisation's information assets. It's the difference between having a few security tools and having a coherent, managed approach to security.
A mature cybersecurity program covers:
- Governance — who owns security, how decisions are made, how performance is measured
- Risk management — identifying and prioritising your most significant risks
- Controls — the technical and procedural measures that reduce risk
- Incident response — what happens when something goes wrong
- Compliance — meeting regulatory and contractual obligations
- Awareness — ensuring your people understand their security responsibilities
The 90-Day Roadmap
Days 1–30: Foundation
Week 1: Establish governance. Define who owns cybersecurity in your organisation. For most SMEs, this is the IT manager or a senior business leader. Document their responsibilities. Get leadership sign-off on the security program.
Week 2: Asset inventory. You can't protect what you don't know you have. Build a basic inventory of your critical assets — servers, endpoints, cloud services, data stores, and key applications.
Week 3: Risk assessment. Identify your top 10 risks. For most SMEs, these will include: ransomware, phishing, credential theft, unpatched systems, and third-party vendor risk. Prioritise by likelihood and impact.
Week 4: Policy foundation. Implement your core security policies — acceptable use, password management, data classification, and incident reporting. These don't need to be perfect; they need to exist and be communicated.
Days 31–60: Controls
Week 5–6: Technical controls. Implement the CIS Controls v8 IG1 (Implementation Group 1) — the 56 safeguards that provide the most risk reduction for the least effort. These include: MFA on all accounts, endpoint protection, automated patching, email filtering, and backup verification.
Week 7: Vendor risk. Identify your top 10 vendors and assess their security posture. At minimum, ensure they have their own security policies and that your contracts include appropriate data protection clauses.
Week 8: Security awareness. Run a basic security awareness session for all staff. Cover phishing recognition, password hygiene, and incident reporting. This is one of the highest-ROI security investments you can make.
Days 61–90: Measurement and Maturity
Week 9–10: Metrics and reporting. Define 5–10 key security metrics — patch compliance rate, MFA adoption, phishing simulation results, open vulnerabilities. Build a simple dashboard to track them.
Week 11: Incident response. Ensure you have a documented incident response plan and that key staff know their roles. Run a tabletop exercise.
Week 12: Review and roadmap. Assess where you are against your starting point. Identify the top 5 gaps remaining. Build a 12-month roadmap for continued improvement.
Frameworks to Guide Your Program
Two frameworks are most relevant for SMEs:
NIST Cybersecurity Framework (CSF) — A flexible, risk-based framework organised around five functions: Identify, Protect, Detect, Respond, Recover. It's widely recognised and maps well to SME needs.
CIS Controls v8 — A prioritised set of 18 control categories with specific, actionable safeguards. The IG1 subset (56 safeguards) is specifically designed for organisations with limited security resources.
You don't need to implement both in full. Use NIST CSF as your governance framework and CIS Controls as your technical implementation guide.
Common Pitfalls
Trying to do everything at once. Security programs fail when organisations try to implement everything simultaneously. The 90-day roadmap works because it sequences activities logically — governance before controls, controls before measurement.
Treating it as an IT project. Cybersecurity is a business risk management function. It needs business leadership involvement, not just IT execution.
Buying tools before defining requirements. Many SMEs spend money on security tools before understanding what risks they're trying to address. Define your risks first, then select controls.
No measurement. Without metrics, you can't demonstrate progress or identify where to focus next. Even simple metrics are better than none.
Getting Started
Tektova's Cybersecurity Program toolkit provides everything you need to execute this 90-day roadmap — a Program Charter template, risk register with pre-loaded SME threat scenarios, CIS Controls v8 mapping, KPI dashboard, executive reporting templates, and a budget planning guide. It's designed for organisations that need to build a defensible security program without hiring a CISO.
Summary
Building a cybersecurity program doesn't require a large team or a large budget. It requires a structured approach, clear priorities, and consistent execution over time. The 90-day roadmap above gives you a practical starting point — one that will take your organisation from no program to a defensible security posture in three months.
The most important step is the first one. Start with governance, build your foundation, and iterate from there.