Is Your Cybersecurity Program Complete?

Why neither an AI summary nor a careful read tells you, and what a security ontology has to do before a CISO can trust the answer.

You inherit a cybersecurity program. Within three weeks the auditor arrives. Three days later, the board asks whether it is complete. 

You can read every document and still answer with a sentence about the documents, not the program. That gap does not close by closer reading harder or handing the documents to an AI tool. 

It closes when you stop treating prose as the only representation of your program.

The failure of the summary

A reviewer asks whether mobile device use is covered in the program. They open the Acceptable Use Policy. They find a section on it. Done.

What they never see: the Privacy Policy also governs mobile data handling. The Data Classification Standard names which data classes can leave the device. The Vendor Management Policy controls which sync apps are permitted. The Incident Response Plan defines the remote wipe procedure when the device is lost. Mobile device use is not covered in one document. It is governed across five that do not cross-reference each other.

Drop any one of those documents into an AI tool and you will get something close to this:

"This Acceptable Use Policy applies to all employees and contractors and governs the use of company resources, including email, internet, and devices. Employees must acknowledge it at onboarding and may face disciplinary action for violations."

Every word is correct. The summary tells you the AUP covers devices. It does not tell you that four other documents also do, in ways that overlap, contradict, or leave gaps. It does not tell you whether the Authentication Policy that the AUP delegates to actually exists. It does not tell you what the program omits.

We call this Structural Blind-spot. The reader returns a description that is locally true and globally hollow. Correct in every sentence. Useful for no decision a CISO has to make. The gap is not in any single document. It is between them.

What an ontology answers

A CISO needs answers a summary cannot give. Where does mobile device use actually live across the program? What does the program reference but never define? If Okta breaks tomorrow, what else breaks with it? Each is a structural question. None of them yields to reading documents one by one.

An ontology stores answers in a form you can query. Every concept is a node. Every relationship is a directed edge with a verb. The AUP applies to an Employee. The Employee uses Okta. Okta is governed by the Authentication Policy. The SOC 2 report cites that policy as control evidence. One node, one edge, one verb, in the language the program already uses.

The graph holds more than policies. People, roles, systems, data, controls, evidence, obligations, events. Anything that carries risk, control, or evidence is a node. Once it is all in the graph, the structural questions resolve in seconds, not days.

Same schema, from startup to Fortune 500

The same schema works at every scale. A five-person startup populates it with a few dozen nodes. A Fortune 500 populates it with thousands. The graphs differ in size and topology, but the vocabulary is the same.

That shared vocabulary lets you answer vendor reviews, customer audits, and M&A diligence by reading structure instead of prose.

A per-company ontology is a diagram. A shared ontology that any company instantiates is a language.

What the three views show

The graphs below are the proof of method on a small scale: the policy layer. The same approach extends across the rest of the program, covering every entity type and every relationship.

Why you should care

If you sit in a CISO seat, your next vendor review, customer audit, or post-incident root-cause analysis requires a structural answer on a deadline. Right now you read your way to it. With an ontology, you query your way to it.

If you are evaluating a vCISO offering, the operator on the other end of that contract is either doing structural work or doing slow reading. Asking them how they would assess your program's coverage in the first week separates the two.

If you build AI for compliance, the ceiling on how many programs your experts can review under SLA is set by how fast they can read. Reading prose is slow. Reading structure is fast. An ontology is what makes the ceiling rise.

What comes next

The three views above prove the method on the policy slice. The paper is the schema itself: the node types, predicate vocabulary, and structural rules that let a five-person startup and a Fortune 500 be read on the same axes. We are publishing it next.

The question we opened with stays open until your program is in a form that can answer it.

Research and analysis by SecurityPal AI's Data Science team: Habish Dhakal, Manik Kamra, Pratyush Acharya, Sweta Shrestha, Anurodh Budathoki with Nigam Niraula.