Building a Security Program Before the Breach

The Challenge

A national manufacturer watched a direct competitor get breached. The incident made industry press. Customers, suppliers, and their own board started asking questions. The questions were the obvious ones: How exposed are we? Could this happen to us? Are we prepared? The manufacturer’s leadership realized, honestly, that they did not know.

They had an IT team. They had security tools. They had vendor relationships, some good, some inherited. They had cyber insurance. What they did not have was a program: a framework, a maturity baseline, a risk register, a roadmap, a governance structure, or a way to answer the board’s questions with evidence rather than assertion. Security decisions had been made over the years by whoever was in the room when something came up. Controls existed but had never been audited against a formal framework. No one could credibly say where the organization stood on an established maturity scale because no one had ever measured it that way.

The board wanted a full-time Chief Information Security Officer. The executive team looked at the math. A full-time CISO at the right level of experience for a national manufacturer is a $400,000-plus all-in investment before the cost of the team a new CISO would want to build. The organization was not going to support that hiring move on the timeline the board’s concern required, and a rushed executive hire risked becoming a different kind of expensive mistake.

They came to us for virtual CISO leadership. Not to defer the problem, but to get a seasoned security leader in the role immediately, build the program that made the answer to “are we next” a confident no, and do it at a fraction of the total cost of a full-time hire.

The Approach

Keith led the engagement. His background matched the problem: years as an Information Security Officer at a financial firm where he led full alignment to NIST SP 800-53, years as a consultant who had helped build advisory practices and served as the internal CISO for a consulting firm. He had sat in the chair of the people he was now advising. That changes how a vCISO engagement runs.

The first phase was honest assessment. We ran a gap assessment against NIST CSF, interviewed stakeholders across IT, operations, finance, and the executive team, reviewed documentation, and cataloged the controls and tools actually in place. We did not pretend we had not found what we found. The gap report documented exactly where the program stood: controls without policies, policies without enforcement, tools without configuration, capabilities without the people or processes to use them.

One finding deserved its own line. The manufacturer had inconsistent asset inventories across the organization. IT had one view of what existed on the network. Operations had another. The security tooling saw a third. None of the three agreed. That is the kind of finding that can look like housekeeping on the surface and is actually foundational. The controls that sit at the very top of every major framework (CIS Control 1, NIST CSF ID.AM) do so for a reason: you cannot meaningfully secure what you cannot reliably inventory. Every downstream activity — vulnerability management, patching cadence, access review, detection coverage — depends on a trustworthy inventory underneath it. Fixing that problem moved to the front of the remediation roadmap, not because it was glamorous, but because everything else was standing on it.

That report was not comfortable reading. It was accurate, which was the point.

The second phase built the strategic roadmap. Framework selection landed on NIST CSF aligned with ongoing reference to NIST 800-53 for control detail, because that matched the maturity level the board wanted to move toward and the industry context the manufacturer operated in. We developed the policy framework from scratch where it needed to be, adapted existing policies where they could be saved, and wrote the governance structure that would let the board see security as a managed program rather than an ad-hoc function. A multi-year roadmap was laid out with quarterly milestones, dependency ordering, and realistic resource requirements.

The third phase moved into ongoing strategic leadership. Quarterly board reporting became a structured cadence. A living risk register tracked identified risks through remediation with status and residual-risk ratings leadership could actually interpret. Incident response planning produced playbooks and a tabletop exercise program to validate them. Vendor risk management got formalized.

When the manufacturer decided it was time to evaluate managed detection and response (MDR) providers, Keith led the evaluation. The neutrality mattered here, and it is worth being explicit about why: because Breach Craft does not sell MDR, we had no commercial incentive to steer the manufacturer toward one vendor over another. We scoped the evaluation against the manufacturer’s actual detection needs, built selection criteria with their internal team, ran structured comparisons across the shortlisted providers, and delivered a recommendation the manufacturer could trust was based on environmental fit rather than on what we would earn from a referral. That is the kind of advisory conversation a vendor-neutral vCISO can have that a vendor-aligned one structurally cannot.

Compliance guidance ran continuously as regulatory requirements evolved. Keith stayed in the engagement as the named security leader for internal purposes and external conversations, including the ones with customers and suppliers who had started asking security questions in the wake of the competitor breach.

The Outcomes

The manufacturer moved from “we do not know where we stand” to a measurable program with documented maturity against NIST CSF across all functions. The board got quarterly reporting in the language the board operates in: business risk, financial exposure, compliance posture, maturity trajectory. The risk register replaced the pattern of security decisions made in the room with a structured view of what was tracked, by whom, with what priority, and what residual risk remained after remediation.

Customer and supplier security questionnaires went from being a scramble to a standardized response process with pre-built answers, control mappings, and audit evidence ready to attach. Deals that had been slowed by security diligence moved faster. The security program became an asset to commercial operations rather than a blocker.

The original catalyst, the competitor breach, receded as the driving force. The program that was built to answer the board’s fear question became a program that outlasted the fear. When the next industry incident made news (as it always does), the manufacturer was not scrambling. They had a risk register, they had controls mapped to the relevant threat, they had an IR plan tested against realistic scenarios, and they had a vCISO who could provide informed perspective to the board before the board asked.

Two specific outcomes are worth naming. The inventory problem the gap assessment surfaced got fixed. A reconciled asset inventory with clear ownership and a process to keep it current replaced the three-competing-views pattern, and every downstream control became meaningfully measurable because the underlying inventory it depended on was finally accurate. The MDR selection ran on criteria that fit the manufacturer’s operations rather than the commercial interests of whoever was advising them, and the provider they chose was one they could defend as the right answer for their environment, not a provider who happened to be paying referral fees.

A virtual CISO engagement is not a substitute for every security function an organization needs. It is an answer to the question of strategic leadership when a full-time hire is not the right move. For this manufacturer, the answer moved them from reactive security to a managed program in a timeline a full-time hire could not have matched, at a total cost well below what the full-time path would have required, with access to a team depth a single executive hire could not have replicated.