Cybersecurity program

Cybersecurity Program

By John Bandler

Almost every organization needs a cybersecurity program. A cybersecurity program means the organization is actively managing cybersecurity issues and their information assets. This program protects against cybercrime and might be legally required.

"Cybersecurity program" is two words, let's break it down.

Cybersecurity: is simply cyber + security. The process of securing digital information assets and protecting from cybercrime. For practical convenience think of it being the same as information security (e.g., securing all information assets, not just digital information assets). The objectives of cybersecurity are confidentiality, integrity, and availability (CIA) of information systems. I define it further in my short article on cybersecurity, and delve deeper in other articles.

A program means performing continuing activities to do various things needed to address the issue -- in this case cybersecurity. Cybersecurity is a broad endeavor, so a "cybersecurity program" anticipates a continuing pursuit with several components such as:

• Cybersecurity policy (written document that is known, followed, updated)
• Incident response plan
• Management (governance) of the issues and information systems, with people in charge and people consulted
• Decision making (using facts and logic, when faced with the many decisions and options to be considered)
• Training (cybersecurity is about people, and they need knowledge and awareness)
• And so forth.

I used to say "most organizations need a cybersecurity policy" but this statement is not clear enough for some because there are organizations with a policy that nobody knows about it (and there is no point in that).

It is better to focus on a cybersecurity program, which entails all of the above components. We can start with a policy that works, is consulted and followed, plus the other parts of the program which will be specified within a good policy document.

As I work on an organization's cybersecurity, I focus on three main goals (1) protect from cybercrime, (2) comply with legal requirements, (3) improve efficiency and improve the management of information systems.

The overarching motivation should be continual improvement. Good organizations work to continually improve their cybersecurity, how they manage information assets, and other areas of management and operations.

A cybersecurity program is part of information governance.  Information governance is basically how you manage your information systems and information assets (see link below for definition of that term).

My cybersecurity program

My cybersecurity program is my way of organizing, thinking about, and working on cybersecurity. It is especially useful for organizations that are getting started on cybersecurity and who lack internal expertise. Read about my cybersecurity program here.

Additional links

• Build Your Cybersecurity Program
• Bandler's cybersecurity program
• Build Bandler's cybersecurity program yourself
• Maintain and improve Bandler's cybersecurity program yourself
• Cybersecurity Services
• Introduction to Cybersecurity and Information Security
• Bandler's Four Pillars of Cybersecurity
• Cybersecurity Tips From John Bandler
• Cybersecurity Policy (Free Version)
• Cybersecurity things to know
• Policies and Procedures Book
• Cyberlaw book
• Cybersecurity for attorneys (course outline)
• Cybersecurity and Cybercrime Prevention (course outline)
• Cybersecurity course at Udemy
• Key terms definitions
  • Cybersecurity
  • Information Security
  • Information asset
  • Information asset inventory
  • Information governance
  • Information security coordinator
  • Information governance committee
• My article for Reuters, available here: The cybersecurity program of your firm: a quiz and roadmap for next steps, October 21, 2025

This page is hosted at https://johnbandler.com/cybersecurity-program. Copyright John Bandler, all rights reserved.

This page is a key terms definition article.

Page posted 1/30/2025. Updated 11/07/2025