TL;DR: This post is long and there’s no way around it; security is complex and varied. Fundamentally, security breaks down into 8 verticals covering everything from physical security to privacy to engineering to incident response.  Don’t expect one person to get it all done, and be concerned if your CISO doesn’t have something to say about each of these.

TL;DR: Organizations start security programs for a variety of reasons but often times have motivations that may limit the success of the security program. Keep in mind that the business needs a security program will cover on day one will likely be very different as the company evolves; companies and their security leaders have to be ready to adapt.  Finally, security is far more complex than most would imagine. The breadth and depth can be daunting even for experienced security professionals, let alone those who are not responsible for security.