1. Get educated on ORM/TQM and business process and performance models that can be adapted to security. These processes and models contain proven and widely recognized techniques and tools that support a security program’s key performance objectives. This can be done by peer review with other executives who have successfully implemented such models or through an experienced ORM/TQM consultant who can provide you a review of the key pillars of a quality program that make those concepts relevant to your organization’s leaders. Be sure to include success criteria and implementation strategies. There is actually a certification for ORM through ASIS (a recognized standards body) that will help you assess your consultant’s capabilities for auditing or implementation.
2. Hire a firm to survey the organization’s leadership to understand how they operate. What are their value drivers? What do they currently think about security and what are they expecting? In short, what is the company’s temperament regarding security leadership and programs? Do this so that risk and security can create a bridge to the organization’s leadership and mission in tune with the corporation’s environment and culture.
3. Hire a consultant and/or integrator who has benchmarked (tested) and implemented security technology and can help you create a baseline and performance measurement plan for your systems and programs.
4. Develop a strategic roadmap with the end in mind. Tie security technology evolution and program development to the company’s business cycle and business plans. The ability to create a security/risk master plan which will demonstrate value through the metrics and measurements it produces should be considered as a first step.
5. Understand and align with the IT technology roadmap and architecture.
These are all good starting points that will help you jump start your efforts toward the goals and new outcomes that you desire for security.