Unfortunately most of the "hard" work will be metrics massaging, redefining words and covering stuff.
But the first phase will be a lot of "security & quality" presentations to the troops, some hiring and ground prep-work so the blaming can be done when things go south.
I would like to be more positive, but I already saw this cycle too many times.
How about security being part of the requirements to keep a job instead of monetary bonus? and this has to be applied to the top, only then to the bottom.
I cannot speak for everyone, but in my neck of the woods there are specific deliverables like locking down server access more, removing poorly secured test accounts and older auth methods in general, locking down network in terms of what can access what, cleaning up dependencies, etc. There's a list of about 20-30 things that are to be measured automatically and driven to ~0.
But the first phase will be a lot of "security & quality" presentations to the troops, some hiring and ground prep-work so the blaming can be done when things go south.
I would like to be more positive, but I already saw this cycle too many times.
How about security being part of the requirements to keep a job instead of monetary bonus? and this has to be applied to the top, only then to the bottom.