I usually walk clients through an exercise to identify significant gaps in the organization's posture and then determine what controls make sense, based on the organization's goals. Goals? “What, you mean we are supposed to set goals for our security program?” you ask. Of course!
How do we accomplish this?
Identify your organization's weaknesses and greatest risks
Define the controls, processes and procedures you need to address and mitigate those risks
Make your map to get you to your desired security destination
As daunting as it may sound, you will not get anywhere if you don't complete these steps.
When it comes to the “Make your Map” phase, a successful strategy I have used in the past is to break down the efforts into tactical and strategic plans.
Tactical planning is designed to be near-term and relatively low-cost improvements providing organizations a significant value.
Strategic planning often requires more time, effort, resources and sometimes cost, but often helps complete the long-term vision for an organizations security goals.
In closing, I offer the following advice:
Document a plan for achieving short and long-term security goals
Budgets should not be a reason to leave something off your “wish list” for what security should look like for your organization
Implement practical controls that help you through your journey
Be flexible. Budgets, personnel and objectives change, and so may your plan.