Security transformation begins with this top 5 actions:

1. Take a fresh look at the risk profiles – [Validate] -Does transformation change the “risk appetite”. Speak to business leaders. Understand the factors that will influence the security risk scores and assess to their business impact for crown jewel data access etc. Conduct a comprehensive assessment done and get a fresh risk score. Is the new technology additions reducing the risk or introduce new risk types. Example – How do we control data access through mobile?. Is there a solution in place and is supporting the technical standards of the company?
2. Transform from typical Identity and Access Management with User-id/password to Modernized : (1). Consider SMS or Authenticator app for achieving multi-factor. (2). Role based policies for users and resources. (3). Implement just-in-time or time bound access for elevated permissions. (3). Extend directory services to understand the access profiles and apply policies from 3rd party perspective. Where feasible, multiple directories to minimize the attack surface (e.g. CIAM) (4).Register and identify all BOTs (5). Use automated features to implement periodic reviews and alert for anomalies.
3. Invest in security monitoring and alerting- (1). Basic alert and event monitoring to advanced that will include user behavior logs, system behavior actions, BOT delivered actions, cloud workload logs; deploy SOAR; include threat intelligence. (2). Consider Red Teaming exercises to proactively identify the weaknesses.
4. Relook at endpoint protection controls - You have increased the ability to monitor the endpoint by deploying more protection agents. (Group policy controls, AV, DLP, Web-filter, Data sync and so on). And all the endpoints connected over a public broadband. Why not a SASE for critical users or VPN for critical application access?
5. Motivate the team members – This one is very vital to bring clarity and success for the overall program. Everyone would want to learn new things, so getting the team members along is very important for the success of overall transformation program. Hold regular update meeting to make them understand about the roadmap. Reskill opportunities will energize the game. Measure the reskill quality by using Learning Management Systems (LMS)

Please leave your comments / suggestions for anything else that could form part of this top 5.