Q1 is over. The board presentation is done. The audit findings are sitting in a tracker somewhere, color-coded and assigned to people who are already busy with something else. Everyone exhales, and then — because this is how it always goes — the next ninety days start accelerating before you’ve had a chance to think about them.
Q2 doesn’t wait for you to catch your breath. But it does give you a window — a brief one — to get ahead of it. Here’s how to use it.
The Q1 Hangover Is Real
Every quarter ends with some version of the same problem: things that were “in progress” are now technically overdue, and things that were deprioritized during a busy stretch are now competing for time with new priorities. The Q2 reset isn’t about doing everything at once. It’s about being honest with yourself regarding what actually got done and what got pushed.
Pull your risk register. Open your audit findings tracker. Look at your policy review schedule. How many items have been in “in progress” status for more than 30 days? That’s your real starting point. Not a new initiative, not a shiny framework — just a clear-eyed accounting of what’s outstanding and what it’s costing you to carry it.
This is the discipline that separates security programs that mature from those that just get louder.
Policy Reviews Aren’t a Once-a-Year Problem
Most organizations treat policy reviews as an annual checkbox tied to their audit cycle. If you’re on that cadence, Q2 is worth a quick look at anything that may have drifted since January.
Regulations moved. Platforms changed. You may have onboarded new vendors, rolled out new tools, or modified how you handle data. Policies that were accurate in December can quietly become inaccurate by April without anyone touching them.
You don’t need to rewrite your entire policy library this month. But spend 30 minutes reviewing the three policies most likely to be affected by changes in your environment: your acceptable use policy, your vendor management policy, and your incident response plan. If any of them reference systems, contacts, or processes that no longer exist, that’s your short list for Q2.
A policy that doesn’t reflect reality isn’t just outdated — it’s a liability.
Vendor Risk Doesn’t Manage Itself Between Assessments
Third-party risk tends to get managed in bursts. You do the due diligence at onboarding, you schedule an annual review, and in between, you mostly hope nothing goes sideways. Q2 is a good time to break that pattern for your highest-risk vendors.
You don’t need a full reassessment. You need a quick check on a short list of questions: Has anything material changed in their environment since your last review? Have they had any public incidents, breaches, or regulatory actions? Are they still meeting the contractual security requirements you agreed to?
For your Tier 1 vendors — the ones with access to sensitive data or critical systems — make that check a standing Q2 task. For everyone else, use the quarter to confirm your inventory is accurate. Vendors get added, forgotten, and never formally offboarded. That list is worth cleaning up.
The Controls That Slipped Through Q1
Every security program has controls that are technically in place but not functioning as designed. Configuration drift happens. Exceptions get approved and never expire. Automated alerts get tuned down during an incident and never tuned back up.
Q2 is a good time for a targeted controls effectiveness review — not a comprehensive audit, but a focused look at the controls tied to your highest-risk areas. Pick five. Test them manually. Do they work the way your documentation says they do? If the answer is “I’m not sure,” that’s your answer.
Controls on paper don’t stop anything. The gap between documented controls and working controls is where breaches live.
Training Isn’t Just a Q1 Compliance Event
Security awareness training tends to get pushed out at the start of the year to satisfy compliance requirements and then largely ignored until December. That model is showing its age. Threat actors aren’t seasonal. The phishing campaigns targeting your users right now aren’t waiting for your annual training refresh.
Use Q2 to run a targeted simulation. One phishing test, focused on a lure relevant to current events. Look at the click rate. Compare it to your last simulation. If it’s worse, that’s data. If it’s better, that’s also data. Either way, use it to have a real conversation about where your human risk actually sits, not just where your compliance checkbox is.
Making It Actionable: Your Q2 Reset Checklist
- Clear the backlog first: Review open audit findings and risk register items. Close what’s done, re-prioritize what isn’t, and escalate anything that’s been stalled too long.
- Touch three policies: Acceptable use, vendor management, and incident response. Confirm they reflect your current environment.
- Check your top vendors: A quick status check on your Tier 1 third parties — incidents, changes, contract compliance. Document it.
- Test five controls: Manual effectiveness testing on the controls tied to your highest-risk assets or processes.
- Run one phishing simulation: Timely lure, clean methodology, real metrics. Share the results with leadership.
Discussion Questions
- What’s sitting in your risk register or audit tracker right now that’s been “in progress” for more than 30 days? What’s actually blocking it?
- How often does your organization review vendor risk outside of formal annual assessments? Is that cadence working?
- When was the last time you manually tested a control to confirm it was functioning as documented — not just assumed it was?
Further Reading
- NIST SP 800-53 Rev. 5 – CA-2 (Control Assessments): https://csf.tools/reference/nist-sp-800-53/r5/ca/ca-2/
- CISA – Third-Party Risk Management: https://www.cisa.gov/topics/cyber-threats-and-advisories
- CIS Controls v8 – Control 16 (Application Software Security): https://www.cisecurity.org/controls/application-software-security
Leave a Reply