“Implementing a Security Roadmap should be your number one priority from a cyber security perspective.
Urfaan Azhar, Microsoft Strategist

Define and implement key aspects of your security strategy all within the Microsoft 365 Platform. Let’s get you started with these 11 key steps: 


1. Understand why you need a Security Roadmap 


Having a planned Security Roadmap helps you stop being reactive, making sure you adopt a defined approach to your IT security. Using roadmaps aligns your security processes to business goals and objectives, improving your overall security posture. 


They give you an understanding of where you are today. This sets you on a journey that helps you continually monitor, assess an improve you cyber security. This is a never-ending task - security threat is relentless and ever evolving.  


2. Set yourself a timeline 


Start with 12 months and spend half a day, quarterly, to review your progress and update your roadmap (important you make it manageable). A working document that is evolving and adapting to the current threat landscape is a powerful tool when it comes to mitigating risk. 


3. Pick your battles 


If you decide on a Zero-Trust approach - write that down and commit to it, explain to key stake holders what it means and then pick some quick wins. The image below illustrates Microsoft’s Zero-Trust Security approach. For those new to this approach, we recommend 3 core components to get you started. Protecting your people (Identity), the devices they use (endpoints) and the information/data they access.



4. Measure where you are today


Use tools like Microsoft’s Secure Score and Compliance Score, we also have a PTG Security Form (fill out the form and we will send you a Security Scoreboard). Microsoft's Zero Trust Maturity Model Assessment Tool measures where you are today offering you a verified starting point. Having a bad starting score isn’t bad, as long as you take action to improve it! 


5. Measure yourself against compliance requirements


What are your compliance and regulatory requirements? E.g., ISO 27001, Cyber Essentials, internal GDPR and any other IT/Information policies. Measure yourself against the key elements of these requirements. The Microsoft Compliance Centre has some great templates you can use to get you started. 


6. Define key milestones 


Go for quick wins that have the biggest impact, such as end-user training and MFA. Below is an example that we recommend you complete as a minimum - 4 key steps over the next 12 months, 1 step each quarter. 


Step 1 – Security Management – Security Roadmap, M365 Tenant Health Check, Awareness Training


Step 2 - Identity Access Management – Multi Factor Authentication 


Step 3 – Threat Protection – Mobile Device, Mobile Application, Unified Endpoint Management


Step 4 – Information Protection – Information Protection 


An independent assessment of your cloud platform is imperative. This ensures you meet best practices. When we conduct a Microsoft 365 Tenant Health Check, that’s when we often find the most gaps and issues.



7. Don’t use end users or senior leadership as an excuse  


Many blame end users or senior leadership resistance for not implementing security practices. Your users and senior leadership can’t stop your organisation utilising appropriate health and safety measures, so don’t let them do the same to Cyber Security. The cyber threat is real. You must attempt to mitigate risk and prepare to recover from the inevitability of a breach. 


8. Outline a breach/leak response 


Plan and outline how you would report this to the ICO, your Cyber Insurance company, affected suppliers/customers and colleagues. Key stakeholders like Operations, HR, PR/Marketing will also need to be involved to limit the operational impact and reputational damage.  


9. Record your plan as it develops, even if it changes or pivots 


If you plan to implement Information Protection and then decide against it, record the changes and failures. This shows your intent and attempts to improve security. No organisation can plug all the gaps but showing this will help appease customers/suppliers or even the ICO in the event of a breach. 


10. Don’t do it on your own 


Get buy-in from others and give them ownership. If you’re an SMB get the MD or Operations Director on board. If you are Midsize or Enterprise, then the Security Officer or CISO needs to lead. Bring together key people who’ll help overcome resistance. 


11. Write something down today


Bring all of your planning together and title it ‘Security Roadmap’. Get the decision makers pledge allegiance to Zero Trust principles: verify explicitly, use least privileged access, and assume breach. This will create a fundamental shift in mindset. 


Technology moves fast, we do too and so can you. To get started on your journey, talk to us