Step 5. Select the appropriate point person responsible for implementing (or championing) each high-priority control.
Step 6. Establish a way to measure the effect of each new control and a way to communicate that measurement within and outside of your working group. Don't get too hung up on making Step 6 overly formal. Keep the end in mind: Enable business objectives. Keep it simple. Show progress. Make internal investigations more effective and less risky.
Now repeat this six-step process with a new team for each of these additional areas:
* business continuity and disaster recovery
* intellectual property protection
* and brand protection.
Obviously each of these areas may require a different slightly set of team members.
Beyond the specific business value you create in each area--the deliverables in steps five and six--you will also lay the foundation for more interdepartmental communication and coordination. Security personnel will have more and better contacts within finance, marketing and other groups. As we've noted before, those connections can form the basis for competitive advantage for your company.
Yes, but the first steps don't have to be giant ones. Hopefully this six-step exercise gives you a starting place.
Sign up for Computerworld eNewsletters.