If your organization is just starting out on its cloud security journey — whether it’s a rapidly growing startup or a more established company — it’s important to develop a strategic security roadmap that’s suited to its early-stage maturity level. You should not reasonably expect to go from no security or rudimentary security to a full-blown, encompassing program in one step. It’s far better to take a graduated approach by defining objectives that will give you reasonable protection now, that won’t drain your budget and resources (and possibly divert critical resources and attention away from your company’s primary business goals) — and that will also serve as a rock solid platform to build on when you want to move up to the next level of maturity on the cloud security ladder.

Step 1: Define Your Objectives and Priorities

  1. Establishing a security baseline
  2. Implementing industry best practices that are designed to bring rapid improvement to early stage companies
  3. Starting a company-wide security awareness program

Step 2: Define Constraints

Now that your objectives have been defined and you know what you need to accomplish, you must realistically think about budget, time, and resource constraints.On one hand, you don’t have all the time, money, and resources in the world, so you need to use what you have wisely. On the other hand — and here’s the good news — at this maturity level, you don’t need a large commitment in any of these areas.

Step 3: Execute on Your Plan

It will be a good idea to create three checklists (one for each of your objectives) in order to capture what you need to do, who is going to do it, when it will be started/completed, as well as the results you obtain. Take these items and work them into your work management system. Create tickets, kanban cards, sprint stories, etc. This will help you track what needs to be done, what is in progress, and what has been finished.

Step 4: Measure, Evaluate, and Improve

No system is perfect in its implementation or results from day 1. You need to measure results, evaluate them, and make improvements. Not only does this lead to continuous quality improvement, but the very act of carrying out this activity makes your security program more proactive, less reactive, and therefore, a stronger and more effective part of the daily life of your company.