vCISO Cybersecurity

Blog space

12-Month Cybersecurity Roadmap – From Reactive Spending to a Managed Security Programme

In this article you will read:

  • Why do most security programs fail within three months
  • How to Develop a 12-Month Plan for Building a Cybersecurity Program
  • Tips on how to get the biggest refund after the first quarter
12-Month Cybersecurity Roadmap

What is a cybersecurity roadmap for a mid-market company? It is a sequenced, phased plan that takes an organisation from an ad hoc collection of tools and one-off projects to a managed security programme with owned controls, tested resilience, and a credible compliance posture. IBM’s Cost of a Data Breach Report 2024 found that organisations with extensive security AI and automation averaged USD 3.31 million per breach, compared with USD 5.72 million for those with none – structured programmes reduce cost because they shorten detection, clarify ownership, and create repeatable process (IBM 2024).

12-month cybersecurity roadmap – at a glance:

  1. IBM 2024: organisations with high security-staffing shortages faced significantly higher breach costs – unmanaged security creates direct financial drag
  2. DORA has applied since 17 January 2025; NIS2 transposition deadline was 17 October 2024 – regulated companies often need to compress months 1–6 because legal deadlines do not wait for internal timetables
  3. Phase 1 (months 1-2): asset discovery and risk assessment – without this baseline, every later phase gets slower and more political
  4. Phase 2 (months 3-4): quick wins with high impact – MFA coverage, patch cadence, vendor tiering, DMARC/SPF/DKIM
  5. Phase 3 (months 5-6): process and documentation – incident response plan, BCM pack, policy library, board reporting rhythm
  6. Phase 4 (months 7-9): certification sprint – ISO 27001, PCI DSS, TISAX, or DORA workstream
  7. Phase 5 (months 10-12): test and validate – penetration test, phishing simulation, BCM tabletop, residual-risk review for the board
MonthsPhaseCore activitiesKey deliverablesLead
1-2BaselineAsset discovery, scope, risk assessment, framework selection, gap analysisAsset register, risk register, gap analysis, prioritised remediation backlogInternal sponsor + external adviser
3-4Quick winsMFA rollout, patch cadence, vendor tiering, e-mail security, privileged-access clean-upMFA coverage map, patch SLA, vendor risk tiers, DMARC status reportIT + security lead
5-6ProcessIR plan, BCM documentation, policy framework, board reporting rhythmIR plan, BCM pack, policy library, executive dashboardvCISO / COO
7-9Certification sprintISO 27001, PCI DSS, TISAX, or DORA workstream, evidence gathering, internal audit prepCertification evidence pack, remediation tracker, audit timetableCompliance lead + auditor
10-12Test and validatePenetration test, phishing simulation, BCM tabletop, residual-risk reviewPen test report, simulation results, tabletop after-action planSecurity lead + external specialists
OngoingOperate and improveQuarterly scans, board reporting, annual maintenance, training refresh, recertification planningQuarterly security pack, annual review, continuous-improvement logvCISO / internal owner

Why do most security programmes fail before month three?

Most companies do not fail because they buy no security tools. They fail because they buy tools without a programme. They approve an endpoint tool in one quarter, a penetration test in the next, and a certification project after a customer demands it. Six months later they own software, reports, and invoices – but they still do not have a coherent operating model. Security without a roadmap becomes reactive procurement, which creates control gaps, duplicated spend, and board frustration.

What does the baseline phase deliver and why can you not skip it?

The first phase is not glamorous – which is exactly why many companies rush past it. A business that does not know what systems it owns, what data it holds, what suppliers it depends on, and which regulations apply is not ready for any of the later moves.

For a 200-person company, a serious asset discovery exercise typically takes two to four weeks with specialist tooling and interviews across IT, operations, finance, HR, and procurement. At the end of that exercise you should have a defensible asset register – not just a spreadsheet of laptops. It should cover business applications, cloud services, privileged accounts, supplier dependencies, payment flows, and where sensitive personal, cardholder, and intellectual property data sits.

A risk assessment follows. This is where the leadership team assigns owners to specific exposures. The output should be a risk register, a framework decision, and a prioritised remediation backlog. The framework decision matters: a manufacturing supplier to automotive clients may need TISAX; a payments company needs PCI DSS; a B2B SaaS provider selling into enterprise often sees ISO 27001 first. EU financial entities are already under DORA, which has applied since 17 January 2025, and many medium-to-large entities in critical sectors now face NIS2 obligations.

Skip this phase and every later phase gets slower and more political. Certification becomes a debate about scope. Penetration testing confirms things you already suspected. Board reporting stays vague because nobody agreed the baseline in the first place.

Which quick wins deliver the highest return in months three and four?

Once the baseline exists, the programme should move quickly on a small set of measures that materially reduce risk and demonstrate internal momentum. Microsoft has long stated that MFA blocks more than 99% of automated account-compromise attacks – the right answer is not “we have MFA on e-mail” but “we have MFA on e-mail, VPN, administrator access, finance platforms, HR systems, and critical SaaS.”

Verizon DBIR 2024 reported that exploitation of vulnerabilities as an initial access step grew sharply, and a patching programme in month three establishes cadence, a severity model, and ownership. Vendor tiering by month four ensures that critical suppliers receive more than informal trust. DMARC, SPF, and DKIM are not exciting – but they reduce spoofing risk and create visible progress that sales, legal, and operations teams can understand.

How much does a vCISO cost and when does the model make sense?

By the end of month six, the company should have a documented incident response plan, a business continuity and recovery pack, a policy framework approved by management, and a board reporting rhythm. This is also where a vCISO or experienced programme lead earns their fee. Current market pricing for vCISO support in Europe typically sits around EUR 3,000 to EUR 8,000 per month depending on scope and seniority. For many mid-market firms, that is the difference between having accountable programme management and asking overstretched IT leaders to improvise governance in their spare time.

How much does ISO 27001 cost and how long does certification take?

For many mid-market firms, ISO 27001 is the right first certification sprint because it creates a company-wide information security management system and opens enterprise procurement. For a 200-person company, a realistic all-in cost is often EUR 20,000 to EUR 60,000 – once implementation support, internal effort, and certification body fees are included. Typical timing from gap analysis to certificate is six to twelve months, which is why the earlier phases matter: they compress the hardest work into the front half of the year. Learn more about ISO 27001 certification.

PCI DSS follows a different logic. The scope is narrower but the evidence demand is more technical. For a Level 1 merchant, a Report on Compliance with a QSA can take three to six months depending on the complexity of the cardholder data environment and the maturity of segmentation, logging, scanning, and change control. Smaller entities using SAQs may validate through different routes, but the underlying requirements are the same. Learn more about PCI DSS certification.

What does the test-and-validate phase prove that the certification sprint does not?

Testing after the build phase is the correct sequence. Testing first merely generates a long list of weaknesses with no agreed owner, no budget, and no process to fix them. The penetration test in months ten to twelve asks whether the controls implemented in the first nine months actually hold under adversarial pressure.

The phishing simulation is meaningful by this point because e-mail security controls, MFA coverage, and an incident response plan that gives staff somewhere to report suspicious messages are already in place. The BCM tabletop is one of the highest-value activities in the entire year – it forces leadership, legal, operations, IT, and communications to test assumptions together. At the end of month twelve, the company has moved from reactive spending to managed security operations.

FAQ

How long does it take to build a cybersecurity programme from scratch?

For a mid-market company, a practical first version typically takes nine to twelve months if the business starts with no formal programme. Regulated companies can move faster on paper, but compressing the early phases tends to create rework later.

What is the first step in creating a cybersecurity roadmap?

Start with asset discovery, scope definition, and a risk-based gap analysis. Without that baseline, every other project competes for priority without a shared decision framework.

How much does ISO 27001 certification cost for a mid-sized company?

For a 200-person organisation, a realistic range is often EUR 20,000 to EUR 60,000 all-in, depending on the maturity of existing controls, the use of external support, and certification body fees.

Can a company achieve ISO 27001 and PCI DSS simultaneously?

Yes, but most companies move faster by building the core governance, asset, access, and incident processes first, then sequencing the more specialised PCI workstream on top of that foundation.

What does a vCISO do in the first 90 days of an engagement?

A serious vCISO should help define scope, establish the asset and risk baseline, create the remediation backlog, and set the board reporting rhythm – building the operating model, not just attending calls.

How do you prioritise cybersecurity investments on a limited budget?

Fund the controls that remove the most preventable risk first: asset visibility, MFA, patching discipline, incident response, and supplier clarity. Expensive tooling without those foundations rarely delivers the return boards expect.

Cybersecurity roadmap – free 30-minute scoping session

Patronusec offers a 30-minute roadmap session to map this framework to your current controls, compliance obligations, existing tools, and budget. The output is a practical sequence, not a generic sales deck.


Book a no-commitment call with our team.

stablecoins money transfer
May 3, 2026 All

Stablecoins and money transfers – what they are, how they work and why Visa and Mastercard are rolling out USD stablecoins

 Read more →
July 21, 2025 Cybersecurity

Business Continuity Management: A Strategic Imperative for Modern Organizations

 Read more →
June 11, 2025 PCI

PCI Secure Software Framework (SSF): A Key Standard for Payment Software Security

 Read more →

Don't buy a pig in a poke -
request a free consultation and check how we can assist you.

Free consultation
Contact form

Use the contact form or contact us directly.

Patronusec Sp z o. o.

Head Office:
ul. Święty Marcin 29/8
61-806 Poznań, Polska

KRS: 0001039087
REGON: 525433988
NIP: 7831881739
D-U-N-S: 989454390
LEI: 259400NAR8ZOX1O66C64

To top