Helios Security
Get Started
  • Home
  • Blog
  • CLEARTEXT - Top Dos and Don'ts when...
CLEARTEXT 5 min read

CLEARTEXT - Top Dos and Don'ts when building a cybersecurity program

person Matt Shafner
calendar_today
CLEARTEXT - Top Dos and Don'ts when building a cybersecurity program

A Cybersecurity program is table stakes for any business where uptime or sensitive data impact revenue. Starting a cybersecurity program in 2026 isn't about chasing AI hype - it's about discerning prioritization to close the attack paths that still dominate: phishing (fueling 35-45% of ransomware), stolen credentials, and unpatched vulnerabilities. As an MSSP that's watched budgets vanish on tool sprawl while basics fail, here's the no-fluff guide to what works.

Hard-won lessons from the trenches

Starting a cybersecurity program isn't supposed to be exciting. It's not about stacking the latest AI-powered toys or plastering your walls with compliance certificates. It's about making pragmatic choices that actually stop attackers before they stop your business. As an MSSP who has seen what works and what just looks shiny, here's the no-BS version of what moves the needle—and what just burns cash.

Tools

Don’t: Buy every tool under the sun unless you can staff them

Do: Invest in premium EDR and email security tools

Early-stage programs drown in tool sprawl. Focus your limited budget and headcount where breaches actually start—endpoints getting owned and inboxes getting phished. Modern EDR (endpoint detection and response) tools can not only catch malware in motion but can also provide deep insight into the full attack chain (e.g. web requests, file downloads, processes spawned, etc). This allows you to see what tactics were used and why they were almost successful, leading to continuous improvement. Strong email security with ML based phishing detection, URL detonation, attachment sandboxing, and BEC detection mitigates a large amount of the potential attacks which could provide initial access for an attacker. Couple these with multi-factor authentication for all public facing (or all) logins and you have a great start. Skip the exotic toys until you have basics locked down and people to watch them.

Hot Take: Network-based tools like IPS and NDR deliver little ROI in the early stages. If you can’t reliably stop malware and phishing, AI analyzed packet captures won’t save you.

Governance

Don’t: Start with stringent policies (e.g. NIST) before you understand what’s realistic for your organization

Do: Aspire to a practical framework like CIS 18 Critical Security Controls

While the NIST frameworks may be the gold-standard, trying to swallow the full 800-53 on day one is like teaching calculus before addition. Most organizations choke on bureaucracy and end up with unused policies collecting dust on your file share. CIS18 gives you prescriptive and prioritized categories of controls that map directly to real attacker behaviors. It's offense-informed defense: stop the common attacks first. Ramp up with the IG1 controls and after you get your feet under you, consider IG2 and IG3. You'll get measurable risk reduction fast, without the policy bloat that kills momentum.

Hot Take: A policy nobody follows is worse than no policy at all. It creates audit theater, potential legal liability and a false sense of security.

Patching

Don’t: Assume your patching is working without verification

Do: Validate patching with recurring vulnerability assessments

Patching tickets say "done," but that log4j vulnerability is still lurking on that unmanaged system in your data center. Don't assume that everything is all patched up without verifying. Run authenticated vulnerability scans at least quarterly (or more) to prove that patches are applied and configs are hardened. Tools like Tenable, Qualys, or Rapid7 are a good start but you also need experienced pros to properly asses and prioritize the blinding number of CVEs that will get spit at you. Focus on exploitability and risk-based remediation.

Hot Take: If you don’t vulnerability scan, you’re guessing. Patching without a mechanism to confirm effectiveness is only doing half the job. Vulnerability scanning is one of the best ROIs you can get from security spend and is a good way to provide oversight for your patching operations.

Risk Management

Don’t: Build extremely complex risk management procedures from the start

Do: Start with a basic risk register in excel and review it with stakeholders on a regular basis

Early security programs love to over-engineer risk management. You’ll see 12-column spreadsheets, bespoke scoring formulas, Monte Carlo simulations, and dashboards that look impressive—but answer nothing. Most of it never gets updated, and none of it drives decisions.

Start simple. A risk register should answer four basic questions:

  • What could go wrong?
  • How bad would it be?
  • How likely is it right now?
  • Who owns the decision?

A lightweight risk register reviewed quarterly with IT and business leaders—does more to reduce real risk than an elaborate model nobody trusts. Focus on clear language, clear ownership, and clear decisions: accept, mitigate, transfer, or avoid. Tie risks to real assets and real processes, not abstract control gaps. As your program matures, you can start to introduce more sophisticated methods such as quantitative risk which will allow you to attach dollars to risks.

Hot Take: Risk management exists to enable decisions, not to look smart. If no one is making or approving risk decisions, your “risk program” is just documentation cosplay.

Wisdom is knowing what you don't know

Don’t: Go it alone and assume you’re building in the right direction

Do: Bring in experienced outside help until you build internal expertise

MSSPs and cybersecurity consultants live in dozens of environments; we can spot blind spots you won't see until the forensics report. Engage one early for program design, tool selection, and initial maturity assessment. Use them to accelerate the first 12–18 months, then transition knowledge inward as it make sense. It's cheaper than your first ransomware payment. That being said, not all consultants are equal, ensure your consultant is providing custom, risk-based advice that is specific to your business and not someone with a laundry list of action items to check off.

Hot Take: “We’ll figure it out as we go” is one of the most expensive phrases in cybersecurity.

Bottomline

Cybersecurity maturity isn't measured in tools deployed or dollars spent—it's measured in attack paths closed and time bought back for the business. Start small, stay focused, verify everything, and get help early. The trenches are littered with organizations that ignored these lessons. Don't join them.

As an MSSP, we've helped dozens turn chaotic starts into defensible programs. Reach out if you're staring at the same fork in the road.

Tags: Risk Tools
Share this article: LinkedIn Twitter/X

Need help with your security?

Our team of security experts is ready to help you protect your organization. Get in touch to discuss your needs.

Contact Us arrow_forward