With that data in hand, it's time to compile it into a compelling security strategy to present to senior management. The process of developing a multiyear security strategy and ensuring proper alignment with key C-level stakeholders should take no longer than four months, according to James Quinnild, a partner with PricewaterhouseCoopers who specializes in enterprise IT risk and compliance, security strategy and identity management for global organizations. We see too many organizations lose steam or experience organizational fatigue; others spend too much time thinking about the perfect answer, he says.

A sound security strategy will include an analysis of your company's current security posture and a detailed road map for achieving security goals, and can serve as a useful tool for budgeting and measuring progress. Unfortunately, too many security strategies end up sitting on a shelf collecting dust.

In the past, strategies were about creating an elegant picture of a future state, versus what to do tomorrow or next quarter, explains Quinnild. Typically they fail because they are technology-centric, poorly socialized within the organization, not tied to what's important in the business, and not communicated well upward and outward.