* Decide where you want to end up. Do you want the absolutely best security program that money can buy? Are you aiming to do things only as securely as other organizations in your field? Do you want to do the bare minimum to avoid some regulatory sanction? Thinking about questions like these will help you determine what you can afford to do -- and what you can't afford not to do. Set a target, and then get senior buy-in and commitment for getting there. A fine example of goal-setting is the famous Bill Gates "Trustworthy Computing" memo, sent to all Microsoft employees in January 2002. In it, Gates wrote, "So now, when we face a choice between adding features and resolving security issues, we need to choose security." Those simple words sent Microsoft in a new direction and continue to shape the company's actions today. * Next, critically assess where you are now. Just how bad is it? Whether you do the assessment yourself or hire consultants, you should emerge from the process with a candid understanding of your current state -- no sugar coating. And if you haven't done such an assessment for some time, do it again. It's worth updating that "before" snapshot from time to time. * With your goal in mind and your current state understood, establish milestones. Start with bolstering the most glaring weaknesses uncovered in your current-state assessment. Plan and budget them out over a realistic timeline. Build each milestone into your organizational goals and your staff's personal goals. Plan to measure successes (and failures). Reward those who succeed, and punish those who don't.
There are plenty of resources to help along the way. For example, if software security is your responsibility, consider reading and participating in the Build Security In Maturity Model (BSIMM). It's a great way of assessing your current state by comparing your organization's practices against others, including (most likely) some in your specific industry sector.
Whatever path you take, be prepared for the hard work of getting into security shape. Just as there are no magic diet pills, true security doesn't come with buying a product, even if it's from a reputable vendor.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
Read more about security in Computerworld's Security Topic Center.