Here are my four main suggestions.
First, know your threats. Identify and prioritise the threats that pertain to your day-to-day business operations. Remember that threat vectors are not all created equal. For example, although you might have already mitigated their impact, viruses and worms could be more frequent. On the other hand, denial-of-service and remote control attacks could present serious challenges to your operations.
Second, determine your vulnerabilities. Arrange for a trusted, qualified third-party to do a broad-based security vulnerability assessment (SVA). Such an assessment should include specific sample populations, such as areas of your IT, business infrastructure and operations.
Use a holistic approach that examines the root causes and take corrective actions. Then, break down your recommendations for remediation into people, policy, process and technology.
Third, make sure you avoid techno-babble. Keep in mind that IT and business managers will react better if you govern your approach with the basic tenets of business risk management, not just IT security terminology, which can all too often change into techno-babble.
This is not the business language with which upper-level business executives are comfortable. Talking their talk will get their interest and support, helping you move beyond a set of tactical and technical IT security fixes.
And, finally, ask whose plan it is. To be successful in this process, you must create and sell an appropriate IT security strategy that has been tailored to your company's risk profile requirements and business operational needs.
It is often easier to convene an appropriate IT and business management advisory council to help you in this strategic planning process if you present a business risk management-based charter, goals, objectives, and so on. These should be couched in business terms, be measurable, and help meet executives' business operational responsibilities.
It is also important to convince a broad base of IT and business managers to own the company's IT security strategy. Otherwise, it will be nothing more than a random and disconnected set of IT security programs and projects which might offer some level of protection, detection and risk avoidance, but with no real, measurable risk reduction targets that IT and business executives understand. The ultimate goal is to get business executives to buy into and own the firm's overall security strategy.