Start small
Take baby steps to show everyone in your company that security doesn’t need to be tangled and complex. If you show people that it takes 3 clicks to secure their computer more, their mindset will change and they’ll be eager to implement more of such hassle-free solutions. Do the things that have the biggest ROI and lowest cost of implementation and then steadily increase the complexity of security requirements.
The common mistake I’ve seen is that InfoSec professionals try to start out too big. They want to enforce all the rules possible as soon as possible or even better — all at once. While this approach may sound reasonable from a security perspective, it’s a complete disaster from a practical business POV and I haven’t ever seen it being successful. For example while limiting access, do it in many small stages, otherwise you may outrage people when they lose access to things they were used to use freely for years.
Building security is tough, not because it’s complicated but because it takes a lot of time, perseverance and and patience. If you’re joining an organization that’s a few years old and never had a security person/culture before, you must prepare yourself for slow rollout(+burnout) of all those great ideas you have. It’s because people, who were never taught to be security savvy, will have hard time adopting new requirements — even if you have reasonable justification for it.
The best way to build credibility and have immediate results without irritating people is to start with subtle changes like showing the value of strong passwords, password managers, 2 factor authentication, Antivirus and regular software updates — which all adopted across the board will result in good security baseline.
You won’t get much love for 30 days password expiry or for cutting off access to critical services and hurting engineers’ productivity because you haven’t done good enough research.
Start early
Earlier you start, the most effective you’re going to be for two main reasons. One is that people won’t even have a chance to form bad habits if security was always in place and the second is that it’s more expensive to change architecture design and refactor a finished product.
I recommend all sized businesses to look for the help of security consultant at the earliest. Asking for a few hours of consultancy won’t ruin your budget but can give you a baseline upon which you can build your stuff securely from the day one and avoid a lot of refactoring/breach costs in the future. Chances are that you personally know some security passionate who’ll be more than happy to support you free of charge and ensure your products are robust, so reach out to your social circles and ask for help as soon as feasible.
Dawid Bałut 