Starting to study any subject feels tedious and difficult when you look at your work from the bottom up. It also makes no sense to look down on a particular skill or know-how. Information security is not, in principle, about great programs, roles, titles, or standards. They appear on the scene only at a later stage. Of course, it's great if you want to pay attention to these things in a company.
Initiating an information security policy with technical implementation is not only expensive, but also is the wrong way to manage security, because security is based on thought patterns. A company is always made up of people and people have different opinions about things. Transferring responsibility for security to the IT department is also a bad approach because the chain is always as strong as its weakest link.
We information security people are famous for always banning everything interesting and good in companies. But this is also wrong because the company's management is responsible for the plans and vision of the future. Before one can even think about a change in practices, it is important that the collaboration between the various departments and management is smooth and prompt. Even large companies are fighting this: if you do not perfect these moments at the initial stage, then with large-scale activities everything collapses when information security is violated. In other words, the models and operating methods of cooperation are put in order first!
Once the company's culture is at a good enough level and collaboration between departments is working, it's time to turn your attention to security basics. So this is not yet the stage where expensive IDS systems or incident response teams are ordered. At this point, the roles of each different department should be precisely defined in case of information security incident. Now is also the time to review the company's critical authentication systems, train staff, and consider threat modeling, here are a few measures but these issues are also very company-specific.
The last basic step can be considered more detailed plans for systems, programs and partners. And once the company has reached this stage, everything starts all over again. Information security is an ongoing process of enhancing a company's culture, training, testing programs, and detecting threats. The phenomena of time must be monitored, and security must be viewed as a whole, from the actions of the individual worker to the protection of intercontinental networks. Unfortunately, the days when the intranet firewall was a sufficient tool and measure to combat attacks are far away.
When you take things apart and do the little things step by step, you can see a lot of development over time!
Best information security regards