Review the CIS Controls and learn the following - Prioritization: Address the controls that will provide the greatest risk reduction
Measurements and Metrics: Establish common metrics to provide shared language of understanding for executive, IT, audit and security. Protect your organization in a manner that will facilitate audibility and transparency.