Your First Steps:
Decide who will “own” security
Information security decisions must be made at a level above IT, by those with the funding and authority to support their choices.
The position of Security Officer must be filled. It doesn't have to be someone with technical training. Your security officer's role is to comprehend the security framework and ensure that everyone is adhering to it while working with a team that consists of HR, Finance, and IT.
A consultant cannot be the security officer. It must be a corporate employee who is in a position of authority to guide all divisions.
You will also require a Chief Information Security Officer (CISO), who is educated in both security and IT management, if your company's systems reach a particular size and complexity. A consultant can perform this duty, and many businesses hire part-time consultants as "virtual" CISOs because the average CISO compensation is above € 200,000. A CISO with extensive expertise may be yours through Network Gate.