Most cyber engagements open the same way. A “consultant” runs an assessment, hands over a list of gaps, and calls the remediation roadmap a plan.
A year later, you’ve closed half the gaps, spent more than you budgeted, and are looking at an audit that still won’t pass.
The cyber risks to your organization are still there, because you focused on the symptoms, not the underlying cause.
The work wasn’t wrong. The starting point was.
A list of gaps in your cyber program tells you what’s missing against a framework.
It doesn’t tell you why.
It also won’t prioritize those gaps against risk levels or the potential impact to your business continuity.
For example, two controls can both be marked “non-compliant” and be nothing alike. One might be a contractual obligation with a prime contractor attached to it, with a deadline, with liability if it slips. The other might be a policy gap that takes an afternoon to close once someone decides whose signature goes on it.
A gap list treats them the same. It details them all, but leaves you to work out the priority order.
Inevitably, you focus on the easy-to-fix ones first. Those that take less effort or can be quickly checked off. Get the count down, carry on. It feels like progress because the list is shrinking.
Twelve months on, the program has closed a lot of gaps, but it hasn’t changed the things your business is being measured on. The audit comes back. The insurer asks harder questions than last year. The prime contractor still doesn’t have the evidence they need.
An assessment that surfaces problems without the work to fix them properly leaves you worse off than before.
You have a list of problems to deal with, but you don’t know how to fix them effectively… or how to prevent them.
You’re not truly ready to handle risk.
Readiness is a business state. You’re ready when you can pass the audit you’re facing, win the contract you’re chasing, and keep operating through whatever incident comes next.
That’s the starting question we ask. Not “where are you non-compliant?” but “what does ready look like for your business, and what’s going to move you there?” Different questions produce different programs.
Before we talk about controls, we want to know:
Once that’s clear, the framework work gets easier. NIST 800-171, ISO 27001, CMMC, HIPAA: these are how you prove readiness to someone outside your business. They aren’t the definition of readiness itself.
Start with the framework and you end up with a program that passes checklists. Start with the business and you end up with a program that holds up when the checklist stops being the point.
At Fellsway, we help make sure every business is ready with our proven Plan. Build. Run. methodology.
Plan is the first phase of how we work, and often the most important. It’s the phase most firms either skip or turn into a deliverable to get through on the way to the billable implementation work.
For us, Plan is where direction gets set. Together, we:
The output is a phased, defensible roadmap tied to outcomes the business has already agreed are worth reaching.
It’s a working agreement about what the business is going to be ready for, in what order, and who owns each piece.
You can’t build correctly unless you’ve planned properly.
Skip Plan, and every decision in Build gets made on guesswork: which control to implement first, which vendor to coordinate with, which policy to write and whose sign-off it actually needs.
When those decisions get made without direction, they’re almost always wrong, and the cost of undoing them shows up months later in Run.
We see a handful of failure patterns over and over, and they all share a root cause: the work started with a list of gaps instead of a picture of readiness.
Costs mount, like:
It’s all remediation work that closes a technical gap but leaves ownership undefined. The control gets implemented, and six months later no one is running it. The finding reopens at the next audit. Those remediation dollars get spent a second time.
Or, worse still, every new problem gets a new product, and no one is accountable for the program the products are supposed to be serving. Tool sprawl instead of governance.
When Plan is done properly, Build gets faster and cheaper because priorities are clear.
Your team isn’t relitigating what matters every time a trade-off comes up. Run becomes predictable because accountability is mapped to people who know they own it.
The outcomes are the ones clients care about. Audit readiness that holds up under scrutiny. A program the internal team can own without panicking when someone leaves. A CFO-level answer to “what are we spending this on, and what does it buy us.” Evidence that works in a vendor assessment without a two-week fire drill to produce it.
Remediation still happens, of course. It’s one of the outputs of a good Plan. But it’s shaped by a clear sense of what the business is building toward, sequenced against real priorities, and handed to owners who know what they’re accountable for.
That’s how a readiness program differs from a remediation checklist.
The underlying cause is addressed, before the symptoms are fixed.
If you want to see what readiness looks like for your business, book a call. We’ll talk through where you are, what you’re being measured on, and what it would take to be genuinely ready.
Get the latest cyber and AI insights to help your organization stay compliant, resilient and ready for ever-evolving threats and challenges.
Because while risk is constant, ready is a choice.
Self-assessment is ending. From November 10, 2026, if you want to bid on a DoD contract that touches Controlled...
Read more
At some point in the last few years, every backup tool, every MFA provider, and every monitoring dashboard in the...
Read more
Most cyber engagements open the same way. A “consultant” runs an assessment, hands over a list of gaps, and...
Read moreLet’s help Plan, Build and Run your cyber and AI programs to keep your business capable, compliant, and resilient. Because while risk is constant, ready is a choice.
