All posts
·Candela Security

Building a Security Program from Scratch: A CTO's Roadmap

Building a security program from scratch? This CTO roadmap covers asset inventory, quick wins, policy foundations, your first pentest, and the 90-day path to a defensible posture.

security-leadershipbuilding a security programstartup security programsecurity program roadmapcto cybersecurity responsibilitiesfirst 90 days ciso

Building a security program: where most CTOs start wrong

Most security programs don't get built — they accumulate.

A startup adds a password manager after a shared credentials incident. Someone reads about SOC 2 and buys a compliance tool. A new hire asks whether there's a security policy and nobody can find one. A prospect's security questionnaire uncovers eight things nobody realized were gaps.

That's not a security program. It's reactive patching, and it creates the illusion of security without the substance. When something eventually goes wrong — and statistically, it will — you find out which parts of your stack were actually protecting you and which were just there.

Building a security program from scratch is different. It means making deliberate choices: what are we protecting, from whom, at what cost? It means sequencing investments so that high-risk gaps close first. And it means building the operational muscle — documentation, processes, accountability — that makes security sustainable as the company grows.

This guide is written for the CTO who owns security in the absence of a dedicated CISO, and for the new security leader dropped into an organization with no existing program. It covers what to do in what order, and why.

Start with a realistic threat model

Before you buy a tool or write a policy, you need to understand what you're actually defending.

Threat modeling doesn't require a formal methodology. It starts with three questions:

What are our most critical assets? This is more specific than "our data." It means: which systems, databases, or services would cause the most damage if compromised? For a SaaS company, the answer is usually the production database containing customer data and the authentication infrastructure that controls access to it. For a fintech, it's payment processing pipelines. For a healthcare company, it's PHI storage. Get specific.

Who might actually attack us? Most companies aren't targets of sophisticated nation-state actors. The realistic threat model for a Series A startup includes opportunistic attackers using automated scanning to find exposed services, credential-stuffing attacks using leaked passwords from other breaches, phishing targeting employees with privileged access, and disgruntled former employees with access that wasn't revoked. These are very different threats from APT campaigns, and the defenses are different too.

What's our current exposure? This is the honest question. What's actually externally facing? Who has access to what? Where are credentials shared? You can't answer this without looking.

The threat model doesn't need to be a 50-page document. It needs to be specific enough that you can use it to prioritize. If your biggest risk is credential theft targeting your admin accounts, that changes what you fix first.

Phase 1: Close the obvious gaps (first 30 days)

The first 30 days of building a security program aren't about building — they're about eliminating the exposures that are most likely to get you compromised in the near term. These are the controls that apply to every organization regardless of size, and in most cases they're achievable without significant budget.

Multi-factor authentication everywhere. Start with email (Microsoft 365 or Google Workspace), your source code repositories, your cloud console, and any production system access. Use phishing-resistant MFA — hardware security keys or passkey-based authenticators — for your highest-privilege accounts. SMS-based MFA is better than nothing but should be treated as a temporary measure, not a destination; SIM-swapping attacks are common enough that relying on SMS for executive or admin accounts is a material risk.

Access review. Pull a full list of who has access to what. Former employees with active accounts, shared service account passwords, admin privileges given out "temporarily" that became permanent — these are your most likely initial access paths for an attacker. Revoke access that shouldn't exist. For anything that requires admin access, enforce the principle of least privilege: the minimum access required to do the job, nothing more.

Endpoint management. If employees are using personal devices for work, or if company devices have no management layer, you have no visibility into endpoint threats. Deploy a basic MDM (Mobile Device Management) solution and an EDR (Endpoint Detection and Response) product. Most modern security platforms combine these. This is a meaningful investment, but one that pays back quickly in visibility alone.

Email security. Enable SPF, DKIM, and DMARC for your domain. Configure anti-phishing policies. This doesn't prevent all phishing, but it prevents your domain from being used to spoof emails to your customers and employees, and it blocks the most basic inbound attacks.

Secrets management. Move API keys, database credentials, and other secrets out of environment variables, .env files committed to repos, and Slack messages, and into a dedicated secrets manager (AWS Secrets Manager, HashiCorp Vault, or 1Password Secrets Automation are the common options). This is one of the most common findings in application security assessments because it's so common to skip during fast-growth development.

None of these controls requires a security team to implement. They require ownership and 30 days of focused attention.

Phase 2: Build the policy foundation (days 30–60)

Policies feel bureaucratic. They're actually the scaffolding that makes everything else scalable.

Without documented policies, security decisions get made inconsistently, security training can't be meaningful because there's nothing to train toward, auditors have nothing to assess, and new employees have no reference for what's expected. The absence of policy is also the most common reason companies struggle with compliance frameworks like SOC 2 — the technical controls exist, but there's nothing written down.

The minimum viable policy set for a growing company:

Acceptable Use Policy. Defines what company systems and data can be used for, what personal use of corporate devices is acceptable, and what employees are expected to do (and not do) with sensitive information.

Password and Authentication Policy. Specifies minimum password requirements, mandates MFA for specific system categories, and defines how credentials should be managed. This gives you grounds to enforce what you've already deployed technically.

Access Control Policy. Documents how access is provisioned, reviewed, and revoked. Establishes that access follows least privilege. Creates the review cadence (quarterly access reviews are standard) that most compliance frameworks require.

Incident Response Policy. Defines what constitutes a security incident, who gets notified, who leads the response, and what the escalation path looks like. Having this written down before you need it is the difference between a structured response and a chaotic one. Your first pentest findings should feed directly into this document.

Data Classification Policy. Defines categories of data (typically: public, internal, confidential, restricted) and specifies how each category should be handled, stored, and transmitted.

These five documents are the foundation that everything else builds on. They don't need to be long — clarity matters more than length. But they need to exist, they need to be version-controlled, and every employee needs to have seen them.

Phase 3: Get external eyes (days 60–90)

At this point, you've closed the obvious gaps and documented how your program is supposed to work. Now you need to find out what you missed.

The most valuable thing external security experts provide isn't a list of vulnerabilities — it's the perspective of someone who isn't inside your assumptions. Your developers know which parts of the codebase were built quickly. Your IT team knows which policies are enforced inconsistently. But neither of them has the attacker's perspective: what looks exploitable from the outside, what chains together, what gets you into something critical.

A penetration test at this stage serves several purposes simultaneously. It validates (or disproves) the effectiveness of the controls you've just implemented. It surfaces issues that are invisible from inside the organization — misconfigured services, exposed APIs, insecure authentication flows. And it gives you a prioritized remediation list that's grounded in actual exploitability, not theoretical risk.

The scope of a first pentest for a company building its security program from scratch should cover your most critical external attack surface: web applications, APIs, and any externally accessible infrastructure. Internal network testing and more specialized assessments (mobile apps, cloud configuration review) can follow once the external attack surface is hardened.

"In God we trust; all others must bring data." — W. Edwards Deming

That principle applies here. You can believe your controls are working, or you can know.

If you're on a tight budget, a focused external web application assessment is a better use of money than a broad but shallow scan. Depth on your most critical system is more useful than breadth at low quality. Our guide to penetration testing costs covers realistic pricing and what drives variance.

Phase 4: Compliance decision point (month 3 onward)

Somewhere between month two and month six, most growing companies hit the same decision point: a prospect's enterprise security team sends a questionnaire, or a potential enterprise customer asks for a SOC 2 report, or a new partner requires ISO 27001 certification.

This is the moment to make deliberate choices about which frameworks to pursue, rather than letting sales urgency drive the decision.

The most common frameworks for US-based software companies are:

SOC 2 Type I / Type II. The default for SaaS companies selling to enterprise customers. Type I is a point-in-time assessment of controls; Type II covers a period (usually six months to one year) and is what enterprise procurement actually requires. If you've been building your security program properly, SOC 2 Type I is achievable within a few months. Type II requires sustaining those controls over time.

ISO 27001. Required by many European customers and enterprise procurement processes that prefer internationally recognized standards. More process-intensive than SOC 2 but well-regarded as evidence of a mature security program.

PCI DSS. Required if you're handling cardholder data directly. If you're using a payment processor like Stripe and not storing card data yourself, your PCI scope is typically minimal.

The compliance question and the security program question are related but not identical. A company can pass a SOC 2 audit and still have serious security vulnerabilities — compliance certifies that documented controls exist and are followed, not that the underlying systems are secure. The best approach is to build the security program first and then pursue compliance as external validation of what you've built, rather than building the security program around what the auditors want to see.

If you're trying to figure out what your specific compliance obligations are, our penetration testing for compliance guide covers the requirements across SOC 2, ISO 27001, PCI DSS, and HIPAA.

Hire or outsource: the build vs. buy question for security

At some point you'll need to decide whether to hire dedicated security staff or outsource the function. This is a more nuanced question than it first appears.

The case for hiring: a full-time security professional embedded in your engineering organization has context that external vendors don't. They can attend sprint planning, review architecture decisions in real time, build security into the development process rather than testing it afterward, and respond to incidents with full knowledge of your environment.

The case for outsourcing: security talent is expensive and scarce. The fully-loaded cost of a senior security engineer in most markets is $200,000–$280,000 per year. An outsourced CISO or vCISO (virtual CISO) engagement at $15,000–$30,000 per month gives you senior security leadership across strategy, compliance, and governance at a fraction of the cost, with the flexibility to scale up or down.

For most companies with fewer than 100 engineers, the practical answer is a hybrid: outsource the strategic and compliance functions to a vCISO or managed security provider, and invest in upskilling your existing engineering leads on security fundamentals. As the organization grows and the complexity of the security program increases, you bring in dedicated internal staff.

The wrong time to hire a full-time security employee is when you don't yet have a security program for them to run. That hire becomes expensive and often exits within 18 months because the role is undefined, the tools aren't there, and they end up doing IT support instead of security work.

The 90-day security program roadmap

Putting this together as a concrete timeline:

Days 1–10: Asset and risk inventory. Map your external attack surface, identify your most critical internal systems and data, and assess current access patterns. This doesn't require tools — it requires conversations with your engineering leads and an honest look at your environment.

Days 10–30: Implement baseline controls. MFA everywhere, access review and revocation, endpoint management, email security configuration, secrets management. Document what you've done and why.

Days 30–60: Policy foundation. Write the five core policies. Get legal review if anything involves employee data or regulatory obligations. Communicate policies to all employees with acknowledgment tracking.

Days 60–90: External assessment. Commission a penetration test of your external attack surface. Use findings to validate controls, surface gaps, and create a remediation backlog with priorities.

Month 3 onward: Compliance and program maturation. Make the compliance framework decision. Implement the pentest remediation backlog. Establish a vulnerability management process. Begin preparing for certification if required.

This is a realistic timeline for a company that's starting from scratch and treating this as a priority, not a side project. The actual elapsed time depends on how much remediation work the pentest uncovers and how quickly you can address it.

What a mature security program looks like

After 12–18 months of building deliberately, a well-run security program at a growth-stage company has the following characteristics:

Documented controls that are actually followed. The policies exist, they're current, and employees know about them. Access reviews happen on schedule. Incident response has been tested, at minimum with a tabletop exercise.

External validation on a regular cadence. Annual penetration testing at minimum, with more frequent testing for high-risk systems or after significant changes to the architecture. The pentest findings are tracked to remediation, not filed away.

Security embedded in development. Developers understand the security implications of the choices they're making. There's a process for reviewing third-party libraries and dependencies. Secrets management is standard practice, not an afterthought.

Audit-ready compliance. If you've pursued SOC 2 or ISO 27001, the evidence collection process is automated or at least documented and consistent. You can produce evidence of controls without a scramble.

Metrics that connect to business risk. You can answer the question "how are we doing?" with data: mean time to remediate vulnerabilities, percentage of critical findings resolved within SLA, access review completion rate, phishing simulation click rates. These are the metrics that matter to a board, not "number of alerts handled."

The goal isn't a perfect security posture — that doesn't exist. The goal is a defensible one: an organization that can demonstrate it takes security seriously, has invested appropriately in controls, and has the visibility to detect and respond when something goes wrong.


Building a security program and not sure where to start? Book a free consultation with our team — we'll map your current exposure and help you prioritize the first 90 days.

Frequently Asked Questions

How do you build a security program from scratch?

Start with a realistic threat model — identify what you're protecting and from whom. Then close the most critical gaps first: MFA, access control, endpoint management, and secrets management. Build a minimal policy foundation. Get external validation through a penetration test. Then pursue compliance as a layer on top of a working security program, not as the reason you built one.

What should a CTO know about cybersecurity?

A CTO doesn't need to be a security expert, but they need to understand the risk landscape for their specific architecture, who owns security decisions, what the company's obligations are, and how to evaluate whether the security controls in place are actually working. The most important thing a CTO can do is not conflate compliance with security — passing an audit is not the same as being secure.

What is the first step in building a security program?

Asset and risk inventory. You cannot prioritize what you don't understand. Before spending money or implementing controls, map what you have: what's externally exposed, what data you hold, who has access to what. That inventory drives everything else.

How long does it take to build a security program?

A defensible baseline security program — MFA, access controls, core policies, and first penetration test — is achievable in 90 days with focused effort. A mature program that includes compliance certification, embedded security processes, and regular external testing takes 12–18 months to build properly.

When should a startup hire a CISO?

Most startups don't need a full-time CISO until they have significant compliance obligations, a large engineering organization, or a regulated market context. A vCISO or fractional security leader can provide strategic direction at a fraction of the cost and is often the right answer until Series B or C, depending on the business.


Want to secure your company?

Book a free 20-minute consultation with our security team.

Book your free call