Often people ask those of us who are in the security field how to "break in" or what certifications they should focus on. Sometimes they want the "fast track" but usually they realize that it's not something that you can just do overnight. You have to have a goal in mind and make a plan on how to get there.
The same holds true for companies. Whether you are a new startup or have been in business for many years you have to have a plan for your companies security. You can't just decide that you want to get secure and start installing devices and implementing policies. Or if you do you will realize that it will possibly hinder your business or be one major headache for the entire company.
It's a process that has to be developed to fit YOUR companies needs. What is right for Company X is not what is right for you. You may be able to use them as an template, but you have to customize it to fit your business.
Once you have this completed you still can't just rush out and buy something. You have to implement the right "something". It might be technology, policies, procedures, etc. It also has to fit your need and budget. You have to take into account what other resources will be needed. Do you have the right people to deploy, manage, maintain and understand the technology? Do you have the infrastructure to support it?
What about those who have limited budgets? How do they secure their environments? That's where the "One Step At A Time" comes into play. Companies that have limited budgets have to look at what will give them the most bang for their buck. Do they need a better firewall (I'm assuming they already have something in place), end point security, web security? What is it that is most valuable to the company?
Once you have addressed that you can then plan and move on to the next step. What needs to be done next? How can you mitigate risks while in the "waiting" phase? How do we protect yourself as best you can with what you have? You always have to think forward. Look towards your goal and how to get there as safely and effectively as you can.
The inspiration for this post came after I read this post by Scott Wright at the Security View blog.