This blog, authored by Sherweb’s Cybersecurity Technical Fellow Roddy Bergeron, breaks down why most managed service providers (MSPs) fall short on security execution and what it really takes to turn strategy into resilience.
Everyone has a plan until they get punched in the face. That famous boxing adage rings especially true in cybersecurity. It’s easy to draw up a security strategy on paper; comprehensive policies, cutting-edge tools, detailed incident response plans. But when a real attack hits, the true test is how well you execute that plan under pressure. In other words, the effectiveness of your security program isn’t defined by the strategy you intend to follow, but by the actions you actually take when it counts. If you’re wondering what makes a cybersecurity program effective, it starts with execution.
*Note: This blog is based on insights from Sherweb’s comprehensive guide on building a successful cybersecurity program. For a deeper dive into each pillar and actionable steps to enhance your MSP’s cybersecurity maturity, download the full guide.*
A plan is only as strong as its execution
Having a solid cybersecurity strategy is important. Frameworks like the NIST Cybersecurity Framework (CSF) or CIS Controls give you a roadmap, and policies set expectations. However, a strategy without effective execution is just theory. Too often, organizations pour resources into planning—risk assessments, policy writing, compliance checkboxes—but stumble in day-to-day execution.
Consider the recent data breach at SRP Federal Credit Union in South Carolina. Between September 5 and November 4, 2024, unauthorized access compromised sensitive information of over 240,000 individuals, including names, Social Security numbers and financial details. The ransomware group Nitrogen claimed responsibility, stating they acquired 650 GB of customer data. This incident underscores how execution failures, such as inadequate monitoring and delayed response, can lead to significant breaches, regardless of the strategies in place.
In plain terms, the plan existed, but the follow-through failed.
The lesson here is stark: even the best strategy fails if it’s not properly implemented. It’s like having an evacuation plan for a fire, if no one practices it or knows their role, chaos will reign during a real emergency. Your security program works the same way. The real-world outcomes (breaches prevented, incidents contained) are what matter, and those hinge on execution.
Why good plans fail: Common execution gaps
Let’s break down why security strategies often fall apart in practice. Identifying these execution gaps is the first step to fixing them:
- Untested procedures: Incident response playbooks and disaster recovery plans sound great in theory, but have you tested them? Teams that never run drills or tabletop exercises often freeze or fumble during an actual incident. A plan no one has practiced is a plan that won’t be followed.
- Tool overload without integration: Investing in multiple security tools (firewalls, intrusion detection systems, endpoint protection suites, etc.) can backfire if they’re not configured and monitored properly. An overwhelming stack with poor integration leads to missed alerts and slow responses.
- Human factors and silos: A strategy on paper assumes people will do their part. In reality, if roles aren’t clear or teams work in silos, critical tasks fall through the cracks. Security is a team sport, one weak link can break the whole chain..
- Outdated playbooks: Threats evolve quickly. If you set your strategy and forget it, your team might be following yesterday’s plan against today’s threats. Regular updates, refresher trainings and iterative improvements are essential to keep execution aligned with current risks.
And then, of course, there’s the financial impact. Many MSPs assume that having cyber insurance will cover them in the event of a breach, but insurance isn’t a safety net for poor execution. Carriers are scrutinizing security postures more than ever, and policies often include strict requirements around incident response, logging, patching and access controls. If a provider determines that your security measures weren’t properly enforced, your claim could be denied, leaving you to absorb the full cost of the breach. In short, a cybersecurity program that only works in theory won’t just fail in practice, it could cost you everything.
Recognize any of these in your organization? If so, it’s time to reassess what makes a cybersecurity program effective and where yours may be falling short.
Bridging the gap: Make strategy actionable
How can you ensure your well-crafted strategy actually delivers results? More importantly, what makes a cybersecurity program effective enough to stand up under pressure? The key is to translate plans into practical actions and keep refining them. Here’s how to align strategy with execution.
What makes a cybersecurity program effective?
- Practice like it’s real: You fight the way you train. Schedule regular drills for likely scenarios (ransomware outbreaks, phishing scams, data breaches). Tabletop exercises and live simulations train your team to act decisively. When everyone knows the playbook by heart, execution becomes second nature in a crisis. This is also a great time to update your playbooks and policies.
- Simplify and integrate: Streamline your security stack. Make sure your tools talk to each other and that alerts funnel into one dashboard your team actively monitors. A simpler, well-integrated toolset is easier to manage and less prone to error. When an alarm sounds, your team can respond faster because nothing slips through the cracks.
- Empower your people: Ensure every team member knows their role and has the authority to act. Remove silos by fostering open communication between IT, security and development teams. When a threat emerges, seconds count. Your staff shouldn’t be waiting for permission or wondering who’s in charge. Include people from all parts of your business to be a part of your security steering committee.
- Continuous improvement: Treat every incident (and drill) as a learning experience. Do a quick post-mortem after each to ask: What went right? What could be better? What can we get rid of? Update your procedures and training based on those lessons. A security program should evolve with each test, becoming stronger every time you find and fix a weakness.
By taking these steps, you turn your strategy into a living, breathing program. It’s no longer a document in a binder; it’s a muscle memory and a culture of readiness. Your team will execute the plan because it’s ingrained in their daily work.
Will your security program hold up under fire?
I’ve spent years building and assessing security programs, and one thing I know for sure is that execution separates the winners from the victims. You could have the most robust cybersecurity framework outlined, but if your organization can’t carry it out under fire, it’s as good as no strategy at all.
Remember, a security program isn’t a checkbox or a document, it’s a commitment to action and reducing the impact of an incident. The real test of your program happens in the trenches: a phishing email that slips past filters, a zero-day exploit that strikes out of nowhere or an employee laptop lost with sensitive data. In those moments, your preparedness (or lack of it) shows. Either your team leaps into action and contains the damage or the plan falls apart and the breach becomes tomorrow’s headline.
My advice is simple: don’t wait for a crisis to find out if your cybersecurity strategy actually works. Pressure-test it now. Encourage your team to think like attackers and responders, not just planners. If you discover gaps, address them immediately update the process, retrain people or streamline tools, whatever it takes.
As someone who’s helped develop MSP security services and led incident response efforts, I’ve seen firsthand how proactive execution can turn a potential disaster into a minor inconvenience. It’s incredibly rewarding to watch a well-drilled team tackle an incident calmly because they’ve prepared for that day. That confidence doesn’t come from the plan on paper; it comes from practice and execution. And that is the true mark of a successful security program.
Ready to put your security strategy to the test? Don’t wait for an attacker to punch you in the face—do it yourself. Run those drills, fix those flaws and prove your program works. Because sooner or later, something will go wrong. And when it does, what makes a cybersecurity program effective isn’t the plan, it’s the preparation behind it.
