To create a security program, you need to begin by defining your governance strategy. You need to review your governance and see if it is complete and followed. From there, you need to understand your security posture and see where it differs from the ideal. A review of past incidents also points you to areas that require improvement. You also need to define the information that requires protection. You might also want to perform threat hunting and penetration tests to determine other vulnerabilities to exploit.