Skip to main content

In today’s hyper-connected world and cyber-criminal-laden landscape, cybersecurity is no longer an optional add-on; it’s a business imperative. If you have customers with cybersecurity programs running third-party risk assessments or diligence during the buying process, you likely have received lengthy questionnaires inquiring about details of your cyber program. In some cases, they have woven expectations of cyber programs into your contracts or have set expectations that you get 3rd party audits or attestations of your cyber program’s existence (e.g., SOC 2, HITRUST, FEDRAMP, TX-RAMP, StateRAMP, etc.)

So, you’ve gotten the message loud and clear: your customers want a robust cybersecurity program. But before you rush into generic “policy packs” or check-the-box audits, let’s take a step back and avoid these common pitfalls. I can definitively state that it is more expensive to dig a deeper hole and rely on heroic efforts to “build Rome in a day” (P.S., cyber-Rome-in-a-day does not exist, and even if you try it, it will not be sustainable).

Mistakes to Avoid:

  1. Buying a pre-packaged program and policy/procedures solutions: While templates offer a starting point and tempting affordability, a one-size-fits-all approach leaves critical gaps in your specific risk landscape and how your organization is set up from a process and people standpoint. Remember, cyber security isn’t a product; it’s a continuous operation connecting people, processes, and technology to protect the company.
  2. Seeking the “cheap and fast” audit: Cutting corners with superficial audits creates a false sense of security and may cost more in the long run. Finding an auditor who will “look the other way” is always a short-sighted approach that almost always ends in pain and exponential cost. There are many marquee public examples of companies that you do not want to emulate.
  3. Tech overwhelm: Throwing money at the latest tools without a clear strategy is like buying a toolbox full of amazing, shiny tools without knowing how to use them. Focus on understanding your needs and aligning technology with your security framework. There is a sea of cyber tool providers out there, all waiting to convince you that their offering will solve your cyber risk. And while there are some great pieces of technology out there, very few live up to the hype (or at least the breadth of impact their marketing folks have dreamed up.)
  4. Passing the buck: Assuming your IT team or external providers are solely responsible is a recipe for disaster. Everyone in the organization plays a role in cybersecurity, and you need leadership or advisory to help make this a reality.

At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at  


About the Author

Cody Rivers is a Consulting Director at Reveal Risk. Cody helps lead a consulting practice that specializes in creating and maturing cybersecurity programs that focus on risk reduction while aligning their work to client budget realities.

Prior to joining Reveal Risk, Cody served as Chief Technology Officer (CTO) for a successful Midwest-based IT Managed Services Provider (MSP) with clients that spanned the US and Western Europe. While there, he built the cloud security practice that assisted clients to overcome technical obstacles on their path to security maturity and regulatory compliance.

Cody’s experience spans 15+ years working with local professional sports teams to Fortune 1000 companies in nearly all major industries. He’s worked within such frameworks as SOC, NIST, and SOX. In 2021, Cody was recognized as a CTO of the Year by the Indianapolis Business Journal.

Leave a Reply