When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving into the immediate and very specific things that need improving.
Fundamental, but not easy - something that is a constant work in progress for all. This includes maintaining a catalog of risks, controls that mitigate those, and subjecting those to continuous automated verification.
If controls can be widely embedded, easily deployed, autonomously managed, made cheap(er), have reduced negative externalities & bring adjacent non-security benefits then you can apply them more at diminishing cost.
Obvious, right? But easier said than done. Minimize attack surfaces, architect for lower blast radius, implement “zero trust” whatever you take that to mean.
For every unit spent on trying to hire & train more security professionals invest 10x of that in increasing the productivity of the people you already have. It will also help retain them as they’ll be doing higher quality jobs.
Constantly scale up and speed up the intelligence, hunt and defense OODA loop. Disturb the economics of attackers, study their evolving TTPs not just attack specific IOCs & aim to neutralize whole classes of attacks.