Skip to main content

«  View All Posts

Cybersecurity | Consulting

4 Steps of a Formal Cybersecurity Program

March 1st, 2022 | 10 min. read

Print/Save as PDF

Week One Header

Cybersecurity is one of the most important concerns for any business. Businesses with Employee Stock Ownership Programs (ESOP) need to pay special attention to keeping their employees safe from cyber-criminals. Cybercrime can be scary for any business, big, medium, or small. If your business doesn’t have the tools to protect your beneficiaries, Guide Star is here to help. 

In April 2021, the Department of Labor released cybersecurity best practices for fiduciaries to prevent vulnerabilities. Dive in deeper and learn about the first cybersecurity guideline recommended by the Department of Labor, which is how to create a formal program from scratch. 

Creating a Formal, Well-Documented Cybersecurity Program 

Before talking about how to keep your business’s vulnerable information safe, your business needs to have a formal cybersecurity program. While this may seem like a daunting task, it is important to make sure you are protected.  

How do you achieve this?  

1. Understanding your business from the top down. 

Before you dive headfirst into the world of cybersecurity, you need to understand your business and the risks that come with it. Is your business a car dealership or are you a small engineering firm? What kind of sensitive information do you have stored in the cloud or on a server? 

Knowing your business and documenting the risks that come with it will help you choose a framework. Once you fully understand what your business is, it’s important to catalogue the systems your employees use. This will give you an understanding of the kind of protection your business needs to stay safe. 

2. Pick a framework.

Now that you have a good sense of what your business (and its risks) is, it’s time to pick a framework that suits your business. A cybersecurity framework is defined as a group of standards or best practices, often developed by an independent third party, that a business should adopt to manage or eliminate cybersecurity exposure. Cybersecurity frameworks come in two paths: Do It Yourself or adopt a third-party standard framework.  

There are many benefits to using a third party administered framework as opposed to one that is Do-It-Yourself, including: 

  • Governing body for the standard ensures completeness and relevance of the program.
  • Easy to communicate externally.
  • May support formal audits and corporate certification.
  • Company gains a clear understanding of both technical and legal protections.
  • There are many different cybersecurity programs to choose from, each with different levels of compliance and even specialties. It is important to align to a framework(s) that will work with your business’s needs, for example a DoD contractor will comply with the NIST framework or an international company may choose ISO27001.  

The Center for Information Security (CIS20) is aimed at helping small and mid-sized companies improve their cybersecurity. This framework is often an excellent choice for ESOP organizations as it strikes a good balance between providing protections and not being too complex.  

guide_star_Compliance_Graphic3. Create policies and procedures.

After you have chosen a framework, it’s time to get to work. Having a well-documented program starts with creating policy. Policies should be high-level standards that align with your chosen framework.  

An example policy is: “All employees of Acme Engineering will undergo cybersecurity awareness training within two weeks of hire”. These policies are what you will bring to your board members for approval.  

If the policies define the what the procedures define the how. Procedures are more detailed and do not require board approval to change. Procedures should ensure that the spirit of the policy is achieved but should also be flexible and able to adjust to your business needs. Your policies and procedures in combination represent the documentation the DOL will want to see to show that you have a formal cybersecurity program. They will need to be formally reviewed and updated at least annually. The program and a third party evaluation of its effectiveness should be submitted formally to your board each year and approval entered into the minutes.  appropriately.  

4. Build a program you can achieve.

Once your board has approved the cybersecurity program’s policies, it is important to review your new program. Take a step back and make sure that everything you have committed to is feasible.  

Cybersecurity is not a destination; it is a journey. You will need to adjust your policies and procedures to keep up with the never-ending changes that technology brings. The standards you set today will most likely not be the same standards you need ten years into the future, !  

When you are finally ready to launch your new cybersecurity program, it is important to expect the unexpected. It’s human nature to be hesitant to change. Some employees might not understand the need to have a cybersecurity program.  

Do you remember when corporate safety programs became the standard? Some companies refused to comply with OSHA’s requirements to have a safety training or a safety program. They ended up being unable to get bids for projects.  

Getting ahead of the game for cybersecurity will save your business headaches in the long run.  

Other Considerations for Cybersecurity  


Be transparent with your employees about your new cybersecurity program.

Your policies and procedures shouldn’t be a secret. After all, your employees will be instrumental in keeping your company safe from cybercriminals. Every employee owner will notice changes, so it’s important to educate them on the policies and procedures that will take effect. Taking the time to answer any questions and listen to concerns will help you gain their buy-in. Having their confidence will make your program more successful. 

Not everyone is as proficient with computers as a younger employee who grew up as technology evolved into what it is today. There is a good chance that someone, yourself included, will make a mistake. And that’s okay! It's why you have the cybersecurity program in the first place.  

Integrate policies into your culture.  

Having an ESOP gives employees the opportunity to own a share of the company. This gives your employees a sense of community and rewards them for the hard work they provide your business.  

Your new cybersecurity program should be incorporated into your existing culture. Be sure to include any cybersecurity measures in your corporate risk management program. Protecting the business from cybercriminals will protect your employees and their assets.  

Document everything in the creation of your program.  

Documenting your cybersecurity program every step of the way will save you headaches down the line. Document what risks your company has, how you are going to protect your assets, and how you will respond to any major cybersecurity breaches.  

Share your plan with your trustees and board, and make sure that it is listed in any official meeting minutes. When your plan evolves, have your executive team send out updates and communicate what the changes entail.  

Make sure your IT employees are on board.  

Your IT department are the experts when it comes to your company’s technological infrastructure. When the cybersecurity program is ready to begin, set expectations with IT to let them prepare for rollout.  


Answer any questions they might have and make sure they know that you are available to listen to their concerns. 

Engage a third party for a formal assessment. 

Once you have baseline protections in place and a formal program documented you should engage with a reputable third party cybersecurity expert. This cybersecurity “Red Team” partner will determine the effectiveness of your program and inform you of any gaps in your policies and procedures. Guide Star has industry leading “Red Team” partners that provide you with this assessment. 

Ensure Your Cybersecurity Program is a Success 

Now that we’ve talked about what it takes to create a formal cybersecurity program, let’s see if you have the tools to get started.  

Here are three questions to ask yourself if your company is getting ready to create your own cybersecurity program: 

  • Do you have an identified cybersecurity expert on your executive team? 
  • Do you have the resources to compile policies and procedures? 
  • Does your IT staff have the bandwidth or knowledge to implement your new program? 

If you answered “no” to any of these questions, don’t panic. Guide Star has a team of cybersecurity experts that will help you every step of the way.  

After completing the first cybersecurity guideline from the Department of Labor, check it off your list and start thinking about conducting prudent, annual risk assessments for your company.