
Yesterday, our kids got back from overnight camp in New Hampshire.
It was three and a half weeks of nonstop fun. Hanging out with friends, playing in the sun, staying up later than was probably a good idea.
And that was just Rachel and me! It sounds like the kids had a good time too.
But it wasn’t all fun and games. As short-term empty nesters, we knew that the opportunity to get things done around the house was not something to squander.
The garage, for example, needed some serious cleaning out. We moved not too long ago and it became our temporary storage area. With our typical schedule of family activities off the table for a few weeks, it was a good time to evaluate the backlog and sell or give away what we no longer needed.
We do the same thing with our Fractional CISO clients. I don’t mean we clean out their garages (please don’t call). I’m referring to the process of taking periodic stock of how we are doing with each of them.
This is outside the day-to-day blocking and tackling that is done to keep things running smoothly. It’s a quarterly (sometimes monthly) process in which we work with the client to look at what we have accomplished, how we are performing, and what we plan to do next – a process that, among other things, ensures things don’t fall through the cybersecurity cracks.
For example, let’s say we had a goal of putting antivirus on every laptop. The project may have been completed, but over time, things change. Maybe the client has since acquired a small company and didn’t think to onboard its laptops to their standards. Absent a regular, high-level evaluation, it’s easy to overlook this kind of thing.
Further, it’s important that senior management is involved (or at least has the option). This allows them to see how the security team is progressing and solidifies management commitment to cybersecurity across the organization.

Overall, planned, periodic cybersecurity check-ins have a number of benefits:
- Assessing Cybersecurity Readiness. Identifying strengths and weaknesses in your security, uncovering potential vulnerabilities, and understanding areas that need improvement.
- Compliance. Many industries have specific regulations and compliance standards related to data security that must be met. For example, for ISO 27001, “management reviews” are a requirement.
- Benchmarking and Performance Evaluation. Measuring and evaluating your cybersecurity program’s progress over time.
- Leadership Communication. Review meetings with senior management provide a structured means of demonstrating success. This is especially important if there is a transition on the management team so that you can show what’s been accomplished and outline agreed upon plans.
- Budget and Resource Allocation. Regular reviews establish a track record of steady progress against potential threats. This can help justify budget allocations for future projects.
- Team coherence. It’s easy to get lost in the day-to-day. These meetings give security team members a sense of accomplishment regarding progress made and a realistic idea of what can be done over a typical three-month period.
Don’t Leave Management Involvement to Chance
Whether working with a Virtual CISO (like us) or managing the process internally, it’s important to continually move the ball forward and ensure your cybersecurity program is as robust as possible.
For best results, establish a “security team,” determine (and stick to) a regular cadence for meeting and reporting to senior management (monthly or quarterly), and agree on a number of defined objectives, measures, and performance indicators.
One more thing – don’t wait. An imperfect cybersecurity program is much better than no program at all. Start down the road with the assumption that you will adjust and improve along the way.
As for me, please let me know if you could use a slightly worn media cabinet. Now that the kids are back home, that garage is feeling more crowded than ever!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.