top of page

Cybersecurity Order of Operations (9 steps to security maturity)

It can be difficult to know where to begin when it comes to getting your cyber security house in order. There's a lot to juggle beyond budgets. The goal of this article is to give decision-makers a clear order of operations to take your technology environment from less secure to secure.

The following steps toward cyber security maturity are listed in order of importance. This is intended to be used as a guide and cannot replace the guidance of an IT professional. Visit our Cybersecurity page for more info on Kosh Solutions' services: Cybersecurity Services


Related articles:


Step 1: Annual review of your security plan

The main thrust of this step is to document your cybersecurity. Writing down a complete picture of your current security setup will help show you where you are and where you need to put some more thought/resources.

Here are a few components that are required to mark this off your list. We recommend the following:

  • Have a security risk assessment performed by an IT professional. Kosh offers a professional cybersecurity assessment - learn more about our assessment.

  • Appoint a security officer.

  • Write down your security policies. Most cybersecurity vendors have boilerplate policies that you can edit to suit your organization. Some areas the policies might cover are:

  • Security Management Policy: a requirement to implement policies and procedures to prevent, detect, contain, and correct security violations.

  • Security Officer Policy: A single individual must be designated as having overall responsibility for the security of an organization's data.

  • Evaluation: Organizations must perform periodic technical and non-technical evaluations that determine the extent to which an organization's security policies, procedures, and processes meet ongoing requirements.

  • Technical - Audit Controls

  • Have a documented incident response plan. Write down the steps you would take in the event of a breach.

  • Obtain adequate cyber insurance. Learn more about cyber insurance with these articles:

  • Do I Need Cyber Insurance?

  • What do I need to obtain cyber insurance?

  • Role-based controls to restrict access to sensitive information.

This is a huge step toward strengthening your cyber security posture! Depending on the size and complexity of your organization, this could be a concise 2-to-10-page document or could run much longer.

Kosh has a free cybersecurity checklist that can help with this process. Click to fill out the form below to get the PDF checklist emailed to you.

Step 2: All software and hardware are supported, patched, and up to date

It's trickier than it sounds to keep all your software and hardware under warranty, with support contracts, patched, and up to date. When you have a few servers, dozens of workstations, and at least a handful of line of business applications, managing all those licenses can get complicated. Furthermore, you probably have firewalls, access points, and switches to stay on top of.

Sometimes the hardware device is "end-of-life" and needs to be replaced altogether. Other times you just need to deploy a patch or update the firmware. Having a process to audit and ensure all your devices and software are good to go is essential to not only your security posture but also your overall technology efficiency. Trying to work from old unsupported hardware and software will inevitably break down and lead to extensive downtime.

For large organizations, we recommend either using software to track these things or outsourcing this task to your IT service provider. It's possible to track everything on a spreadsheet, but there must be processes that adjust the data. Meaning, if you retire a firewall and install a new one, everything needs to be documented so you know exactly what's in place. A simple spreadsheet might look like this:


Account #

Purchase Date

Renewal Date

Adobe Cloud


Jan 6th 2022

Jan 5th 2023