Create a “Programmatic Approach”


to Cyber Security Risk reduction



By Peter Gailey

North Texas, USA

Cyber Security is a fundamental cornerstone of all enterprise entities.  It is very complicated and riddled with risk. A “Programmatic Approach” is most effective in reducing risk.

Cyber Security is the business of measuring risk and offering solutions to reduce or eliminate risk.  In its most simple form to effectively reduce enterprise risk, a series of projects need to be identified, prioritized, budgeted, executed, and tested.

To properly address enterprise cyber security the first step is to understand the business and its strategy. Most industries have cyber security mandates. Example: HIPAA in Healthcare. Consider these as minimum requirements. You must understand several components to create a strategy:  Industry and its minimum requirements, vulnerabilities, standards and frameworks, risks, adversaries, and how to allocate people, process, technology, and budget $$$. Do it yourself or outsource.

Roles of individuals:

CIO – Chief Information Officer – Sets strategy, manages budget, responsible for the execution of Information Technology / Information Security IT/IS environment to drive the business to meet stated business objectives. Generally, reports to the CEO, COO or VP Finance.

CISO – Chief Information Security Officer – Generally the same as a CIO with security focus.  Most always reports to the CIO.

CDO – Chief Data Officer. Generally, the same as a CISO with a focus on data. May report to the CIO or CISO.

The CIO, CISO and CDO are managing people, process and technology projects.  Depending on the size of the enterprise a Program Office and or Program Manager may be involved. Regardless of corporate structure a “programmatic approach” is needed.

Frameworks and Standards:

Best advice is to follow industry standard practices, in the form of Industry standards and frameworks.  Most will be mandated depending on the enterprise geographic location and industry.  For example, in the US, NIST (National Institute of Standards and Technology) is followed.  NIST consists of both Standards (Example: Measurements) and Frameworks (Example: CSF Cyber Security Framework. A library of best practices that is cross industry.)

In the EU, ISO Standards and Frameworks are followed.  For large international enterprises both may be mandated to be followed.


To read entire article, click here

How to cite this article: How to cite this article: Gailey, P. (2022).  Create a “Programmatic Approach” to Cyber Security Risk reduction, PM World Journal, Vol. XI, Issue IV, April.  Available online at https://pmworldlibrary.net/wp-content/uploads/2022/04/pmwj116-Apr2022-Gailey-programmatic-approach-to-cyber-security-risk-reduction.pdf

About the Author

Peter Gailey

North Texas, USA


Peter Gailey has worked in global Fortune 100 firms as a strategic sales leader creating strategy and building teams that have executed those strategies resulting in billions of dollars of revenue, and hundreds of millions in profits. Peter also has deep experiences in start-up firms in the high-tech space.  Expertise includes Cyber-Security, Cloud, Data Center technologies and services.  He can be contacted at  peter@gaileysolutions.com