Prioritizing security measures is the first step toward accomplishing them, and the SANS Institute has created a list of the top 20 critical security controls businesses should implement.
They include some obvious steps, such as getting a comprehensive inventory of all network devices and software, implementing secure hardware configurations and providing for data recovery, but also gets into areas that are less evident.
+More on Network World: Gartner: IT should simplify security to fight inescapable hackers+
Some of these items can be costly and include regularly scheduled assessments – penetration testing and red-team assessments, for example - so they require funding through annual security operating budgets.
Even if an organization can’t handle all 20, it’s a good list to include in a comprehensive set of goals that gets updated periodically as the threat landscape changes.
SANS offers a course on this, but here’s the list with links to recommended implementation steps: