1.  Identify assets that require protection
2. Understand risks involved, evaluate the current level of IT security maturity and the threatscape faced by your industry
3.  Determine the acceptable level of risk for your specific organisation
4.  Adopt technologies & processes required to move your current security posture towards your goals that are in-line with your operations and budgets
5.  Implement, execute, monitor and feed the results back into the loop.