Contact Us

Building a security programme from zero

Security Leadership

Building a Security Programme from Zero: A Practical Framework

Most SMEs have no security programme: just a collection of tools and good intentions. Here’s how to build a structured programme in 90 days.

Book a Conversation

Where Businesses Get Stuck

The challenges we most commonly see when organisations come to us:

  • You have cyber tools but no cyber programme.
  • Your security is reactive, undocumented, and not board-ready.
  • You don’t know where to start.

Our Methodology

The 90-Day Security Programme Framework: governance, risk, compliance, technical controls, and team.

What Starkhorn Brings

Daniel Jacobs: 20+ years in technology and security, 15+ of them in leadership roles. VetPartners (BC Partners, GBP1.2bn), Jardine Motors Group (GBP2bn). Published author. PRINCE2, ITIL, IIM Full Member.

Starkhorn does not subcontract or use associate networks. You work directly with Daniel Jacobs from the first conversation through to delivery.

Who This Is For

This service is designed for:

  • New CISOs
  • and operational leaders building security from scratch

This is not the right fit for: Businesses with a mature security programme already.

Frequently Asked Questions

What is a cyber essentials checklist and why does my organisation need one?

It is a structured list of the controls a reviewer checks to judge how well an organisation is protected, covering things like access control, device protection, backups, patching, email security and incident response. This version scores your answers so you get a number and a priority list, not just a tick-box.

Is this the same as a Cyber Essentials assessment?

No. Cyber Essentials is a formal certification assessed by an accredited body against the NCSC and IASME scheme requirements. This is a free self-assessment that helps you see where you stand before you pay for a formal assessment. It covers the five Cyber Essentials technical controls and goes a little wider (backup and incident response sit outside Cyber Essentials but are drawn from the CIS Controls and the NCSC 10 Steps), so the Cyber Essentials gaps it finds are ones that matter for certification, with a few extras that matter for resilience.

Which frameworks is the checklist based on?

The five Cyber Essentials controls (NCSC and IASME), the CIS Critical Security Controls v8.1 (18 controls, 153 safeguards, with Implementation Group 1 as the foundational set), and the NCSC 10 Steps to Cyber Security. These are the recognised UK and international baselines for organisations of this size.

How is the score calculated?

Eighteen questions across six controls, each scored one (worst) to four (best). The total is normalised to a true 0 to 100, so answering ‘we do not do this’ to everything gives a genuine zero and there is no hidden floor. Each control also gets its own 0 to 100 score so you can see where the weakest link is.

What is a cyber security risk assessment and why does my organisation need one?

It is a structured way of identifying what could harm your organisation digitally, how likely it is, and how much it would hurt, so you can decide what to fix first. Recognised methods such as ISO/IEC 27005:2022 and NIST SP 800-30 set out how to do this rigorously. This free tool gives you a fast, scored starting view across seven domains.

Is this a real risk assessment or a quick check?

It is an honest self-assessment that scores your posture and points to your weakest areas. It is a board-ready signal and a useful starting artefact, but it is not a formal risk assessment, audit or certification, and it does not replace one. A real assessment looks at your specific assets, threats and context in depth.

What does a typical Starkhorn engagement cost?

Engagements are structured as monthly retainers or fixed-term day-rate assignments. The cost depends on scope and time commitment. We are transparent about pricing from the first conversation and will give you a clear indication on the call.

What experience does Starkhorn bring?

Starkhorn is led by Daniel Jacobs, with 20+ years in technology and security, 15+ of them in leadership roles. He has served as CIO, CISO, and interim technology director for organisations including VetPartners (BC Partners-backed, GBP1.2bn) and Jardine Motors Group (GBP2bn turnover). He holds PRINCE2, ITIL Foundation, and is a Full Member of the Institute of Interim Management.

Do I need a full-time CISO or will a virtual CISO suffice?

For most SMEs and PE-backed businesses, a virtual or fractional CISO provides everything a full-time hire would at a fraction of the cost. Unless your sector requires a dedicated CISO under regulation, a virtual arrangement is almost always the smarter choice.

What is the first step to working with Starkhorn?

Book a no-obligation conversation using the link on this page. In 30 minutes we will understand your situation, tell you honestly whether we are the right fit, and outline what a first engagement would look like. There is no sales process and no pressure.

Next step

Ready to Talk?

Starkhorn works with MDs, CEOs, and boards of growing businesses. If you have a technology leadership gap, a security concern, or a transformation that is not delivering, we can help. Book a 30-minute conversation with no obligation.

Book a Conversation

Related at Starkhorn