What is Bandler's Cybersecurity Program Bandler’s Cybersecurity Program infographic by John Bandler https://johnbandler.com/bandlers-cybersecurity-program/

By John Bandler

Almost every organization needs a cybersecurity program.

Here we discuss my cybersecurity program, my way of organizing, thinking about, and working on cybersecurity, which is especially useful for organizations that are just getting started on cybersecurity and who lack internal expertise.

Every organization needs to have a cybersecurity program, but not every organization can have in-house cybersecurity or technical expertise. This article helps make the program happen for any organization.

It is customizable, and the organization remains in charge of all the necessary decisions about itself. It aligns with my terminology, thinking, and philosophy on many related items.

This program is not right for everyone, but it is right for some.

A cybersecurity program

As I cover in another article (links below) an organization cybersecurity program means actively managing and acting on cybersecurity matters. Usually this means there is a written cybersecurity in place (establishing the internal rules of the organization), a person in charge, a reasonable degree of effort, decision making, and training.

The automobile analogy

Here's my analogy: This is like picking a car. Let's say the car I build and provide is a Honda Odyssey minivan. You can decide what color, what features, whether to wear the seatbelt or not, how fast to drive, and other decisions about configuration, driving, maintenance, and where you are going.

An Odyssey is great for people who want a solid car, or a minivan, or who specifically want the Odyssey. But If you want to build your own custom car, it is not for you. If you want a race car or an off-road car, it's not right for you.

Similarly, my cybersecurity program is going to work for a lot of organizations, and it is suitable and adaptable and suitable for almost any small organization, and many mid-sized ones. But some of these organizations will want something else, and that is OK.

A solution you can drive with just a little bit of effort and prep

Small and mid-sized organizations have limited time and funds but need cybersecurity just like any other organization. This provides a solution for them.

Smaller organizations should generally not build themselves a program equivalent to a custom car, or a Ferrari or Lamborghini. They need a cybersecurity program that is similar to a solid, reliable, easy to use minivan. My program is simple and clear as they learn how to manage their cybersecurity and information systems and then improve upon it each year.

As I work with small organizations, people ask me questions about terminology, technology, cybersecurity, risk, law, and legal compliance. As I write and refine policies and procedures, I know that every word, sentence, and paragraph needs to be explainable and defensible. Policies need to be brief but some may not understand a term, so it's nice to have definitions elsewhere. My freely available additional resources helps keeps policies short with deeper explanations available when needed.

My cybersecurity program

My cybersecurity program provides a template for the important things organizations need to do to manage and address cybersecurity.

This includes:

  • Cybersecurity policy (written document that is known, followed, updated)
  • Incident response plan (within the above policy)
  • The policy establishes important processes including:
    • Management (governance) of the issues and information systems, with people in charge and people consulted
    • Decision making (using facts and logic, when faced with the many decisions and options to be considered)
  • Training (cybersecurity is about people, and they need knowledge and awareness)
  • And so forth.

The big picture and goal

Organizations should keep their focus on these three main goals:

  1. Protect from cybercrime,
  2. Comply with legal requirements,
  3. Improve efficiency and improve the management of information systems.

The overarching motivation should be continual improvement. Good organizations work to continually improve their cybersecurity, how they manage information assets, and other areas of management and operations.

A cybersecurity program is part of information governance.  Information governance is basically how you manage your information systems and information assets (see link below for definition of that term).

Obviously doing this takes work, effort, and time. Policies need to be followed or they are meaningless.

Managing cybersecurity is similar to managing any other aspect of an organization, except it is frequently overlooked and underserved.

My services

My services can apply my cybersecurity program to almost any small or mid sized organization and is the most efficient way for me to work with organizations. We see the highest learning and improvement curve.

When organizations trust me, my recommendations, and my process, we can get good policies into place quickly, focus on the basics and start developing good habits, practices, and culture for information management and cybersecurity.

If an organization is without a program at all, I can get them into mine and up to speed very quickly.

I can also review and improve other cybersecurity documentation and practices as well, since some organizations already have a policy or program in place that they want to improve further. This requires a little more review as to where they are now and where they want to go, and if that is compatible with where I can lead them.

Contact me for services or see my cybersecurity services page.

Build-it-yourself resources (DIY)Start with nothing (at zero) and build Bandler’s Cybersecurity Program Yourself (DIY)

You can build your cybersecurity program yourself following my guidance through my webpages or fuller course.

I have been offering a free cybersecurity policy since 2021, which creates the organizational backbone of a cybersecurity program. Now I am building other resources to ensure a full program is developed.

I am building other free resources (time permitting), including:

  • Free resources for those managing the organization cybersecurity program
  • Free training resources to train all organization employees each year
  • A free annual review and update checklist for organizations using my system.

Fuller links at bottom, or see these first two steps:

If you appreciate the free resources I am providing, please consider the thoughts in my article Give Forward or Give Back.

Review, maintain, and improve your cybersecurity program

Once the cybersecurity program is built and in place, it needs to be reviewed, maintained, and improved. The organization should review these things annually (at a minimum).

  • Documents: Cybersecurity policy and incident response
    • These documents should exist, and people should know about them and be trained on them
    • Are there changes that are clearly necessary
    • Are there changes that are desired?
  • Practices:
    • Review existing practices, compare to what the documents and best practices require, look for improvements
  • People
    • Someone should be in charge of cybersecurity
    • Every person should realize they have important duties regarding cybersecurity
  • Training: all employees should receive some training.

You can maintain and improve yourself with my resourcesImprove Your Existing Implementation of Bandler’s DIY Cybersecurity Program

Not every organization has in-house expertise or can hire externally to maintain and improve their cybersecurity program, still that must take place. I created resources for those DIY organizations.

See maintain and improve your implementation Bandler's cybersecurity program yourself.

Additional links

This page is hosted at https://johnbandler.com/bandlers-cybersecurity-program. Copyright John Bandler, all rights reserved.

Page posted 9/8/2025. Updated 12/11/2025