📝 CYBER · Blog

Why do you start the twelve cyber controls at Control 1, not Control 9?

Operators trying to deploy cyber capability in 2026-2027 face a paradox: the visible, expensive controls (EDR, SIEM, SOC) get the budget; the foundational ones (identity, governance, training) get deferred. The result is operators who fail diligence anyway. Start at Control 1.

Book the 30-min review More from CYBER

For: All operators · 10–300 people

Cyber January 19, 2027 ~6 min read

Why do you start the twelve controls at Control 1, not Control 9?

Most operators trying to deploy cyber capability start with the visible, expensive controls and ignore the foundational ones. The order matters more than the budget.

FOR: All operators · 25–300 people · cyber baseline sequencing

By James D. Boyd · Global CIO Advisor · Vencer Group

Quick answer

Operators trying to deploy cyber capability in 2026-2027 face a paradox: the visible, expensive controls (EDR products, SIEM platforms, dedicated SOC contracts) get the budget; the foundational controls (identity infrastructure, governance, awareness training) get deferred. The result: operators with expensive cyber tools who still fail diligence because Control 1 (asset inventory) and Control 2 (identity hygiene) aren't in place. Start at Control 1.

Operators trying to deploy cyber capability in 2026-2027 face a paradox. The visible, expensive controls - EDR products, SIEM platforms, dedicated SOC contracts - get the budget. The foundational controls - identity infrastructure, governance, awareness training - get deferred. The result: operators spend $300K on the controls that show up in vendor demos and skip the $20K of identity work that determines whether any of it actually works.

The twelve controls framework has an order for a reason. Here's why starting at Control 1 matters, and why Control 9 (24/7 SOC) shouldn't be your starting point even though it feels like it should.

The order matters because the controls compound

The twelve controls are sequenced from foundational to advanced. Each control above relies on the ones below it being deployed correctly. A 24/7 SOC monitoring an environment without proper identity infrastructure is monitoring noise. Endpoint detection on machines without consistent identity has detection blind spots. Vendor risk management on top of unmanaged vendor stack is theater.

The cumulative pattern: deploying Control 9 before Controls 1-3 wastes 60-80% of Control 9's capability. The investment is real. The return is degraded because the foundation isn't there.

Control 1 - Identity & Access Management

Why it goes first: Every other control depends on knowing who is doing what. EDR alerts mean less when you can't correlate them to specific identities. SIEM data is noisy without identity context. Vendor access is dangerous without provisioning discipline.

What "deployed" looks like:

  • Single identity provider (typically Microsoft Entra) for the organization
  • SSO coverage above 80% of business-critical applications
  • Documented provisioning and offboarding processes
  • Privileged account separation from standard accounts
  • Conditional access policies for high-risk activities

Cost to deploy for a 75-person operator: $20-50K if not already on Microsoft Entra. Largely bundled if you're on M365 E3 or higher. Lowest-cost control with the highest leverage on every control above it.

Control 2 - Multi-Factor Authentication

Why it goes second: Identity is meaningless without authentication discipline. Passwords alone are compromised at scale in 2026-2027. MFA is the basic authentication standard.

What "deployed" looks like:

  • MFA enforced on all accounts (not optional, not exception-based)
  • Phishing-resistant MFA (FIDO2 keys) on privileged and executive accounts
  • Number-matching authenticators on general workforce
  • SMS as fallback only, never as the primary method
  • Conditional access policies enforcing MFA based on risk signals

Cost to deploy: $5-15K including FIDO2 keys for privileged accounts. The licensing is bundled with M365.

Controls 3-8 - The middle tier (deploy in order)

Control 3 - Endpoint Detection & Response. Named Gartner Leader product. Deploy to 95%+ of endpoints before considering any advanced control.

Control 4 - Email Security. Named Gartner Leader product. DMARC/DKIM/SPF configured properly.

Control 5 - Backup & Recovery. Named Gartner Leader product. Immutability enabled. 3-2-1-1-0 framework.

Control 6 - Network Segmentation. IT/OT separation with documented architecture.

Control 7 - Vulnerability Management. Regular scanning, prioritized remediation, evidence of cadence.

Control 8 - Logging & Monitoring. Centralized logging. Reviewable evidence. This is the prerequisite for Control 9 - without consistent logging, the SOC has nothing to monitor.

These six controls together are the operational core of the twelve. Cost to deploy at mid-market scale: $80-150K initial + $60-120K/year ongoing. This is where most of the named-product cyber budget lands, and it's correctly sequenced.

Control 9 - 24/7 SOC (and why it isn't first)

Control 9 is the one operators most often want to start with. It's visible, it's reassuring, it shows up in cyber theater nicely. It is also the control most likely to be wasted budget if Controls 1-8 aren't deployed.

A 24/7 SOC monitoring an environment with:

  • Inconsistent identity (Control 1 weak)
  • Spotty MFA coverage (Control 2 weak)
  • White-label EDR with limited telemetry (Control 3 weak)
  • Patchy email security (Control 4 weak)
  • No logging consistency (Control 8 weak)

...is monitoring noise. The SOC will see events, but won't have the context to interpret them. False positive rates will be high. Real incidents will get missed. Operators who start with SOC spend $80-150K/year and feel less secure than operators who deploy the foundation first.

The honest take
The most expensive cyber posture mistake is starting at Control 9 because it's the most visible. Identity work (Control 1) is unglamorous, internal, and doesn't show up in a vendor demo. It also has 5-10× the leverage on every other control. Operators who deploy in order - even slowly - produce better outcomes than operators who deploy out of order with bigger budgets. The framework is sequential for a reason.

Controls 10-12 - The governance tier

Control 10 - Vendor Risk Management. Inventory, tiered assessments, attestations. Deploys after vendor stack is consolidated.

Control 11 - Awareness Training. Quarterly cadence, phishing simulation, completion tracking. Deploys when there's an operational rhythm to plug it into.

Control 12 - Governance. Board cyber reporting, named CISO function, documented improvement program. This is what makes the other 11 compound rather than drift.

The full framework - twelve controls in order, the deployment patterns for each, and the milestone-based 90-day plans - lives in The Twelve Controls. Chapters 3-6 cover the foundational controls; Chapter 7 covers OT segmentation; Chapters 8-9 cover the advanced controls.

If you'd rather have someone assess where you currently stand on the twelve controls, the Cyber-and-the-Cycle Assessment includes the composite scoring and prioritized roadmap as part of the structured review - three to five days, written report, no obligation.

Next Step

Take it from here - three ways.

Self-Score · 2 min

Cyber Risk Self-Score

Where your posture stands against the 12 controls.

Take it →

eBook · PDF

The Twelve Controls

Cyber posture that survives renewal.

Read it →

30-Min Review

Talk to a sitting CIO about cyber controls.

Schedule a call. No pitch, no proposal. Wherever and whenever it works for you.

Book the call →
The part where our lawyers smile

Pattern recognition from 19 years of running operator IT - not prescription for your specific situation. Anyone offering prescription from a blog post is selling something. (Possibly to you.) The 30-min CIO review is where the pattern becomes specific to your operation. Free, no proposal, no slide deck.

→ Book the 30-min review
More from the CYBER pillar
View all CYBER articles →