In my travels as an engineer, executive and now consultant I've seen many organizations of various sizes in a plethora of vertical markets. They all share one common element. Chaos.
In the smaller organizations the chaos is in the big picture. They typically don't know where to begin in developing or managing an information security program. They do little bits here and there but nothing is centralized and rarely does it tie back into business objectives. Audits in these environments typically uncover multiple gaps in risk assessments, documentation and IT controls.
For the larger organizations the chaos is in the details. They've got a great framework for how the security program is supposed to be implemented however it so complex it rarely works. The process and procedures work well for one business unit but may not scale well to the rest of the organization. This usually results in audits uncovering entire units and divisions which aren't following established process because it would kill their business.
Developing an enterprise wide security program is difficult. Trying to find something that works well for and is accepted by everyone isn't for the faint of heart. I know because I've done it at several organizations. My best advice to someone trying to tackle this is to consider picking one of the established frameworks and use it as a model for your program. Notice I said model. These may not fit your organization exactly and need modification or simplification. Unless you're trying to gain ISO certification you can pick and choose what portions of the standard apply to you.
Do some research to see if one of the common frameworks such as ISO 27001, COBIT, NIST or ITIL is commonly accepted in your industry. This will make it easier to find organizations with a similar structure in order to learn from their success or mistakes in adopting a similar program. You might also find it easier to use the same lingo in describing your program to an external auditor or finding new employees in your sector with experience in one program versus another.
Take it slow though. Don't tell yourself you're going to implement ISO 27001 this year. Approach it as a migration. You're going to migrate from complete and utter chaos, to structured chaos, to slight disorganization and finally in about 3-5 years reach a level of maturing that others drool over. Pick part of the framework to implement your first year. Find something that won't be too politically charged for the organization and will allow you a quick win. This will help build momentum and trust in the program which in turn leads to stakeholder buy-in and eventually funding. Starting off too strong is likely to doom your initiative before it ever has a chance to prove its worth.
There is no perfect one size fits all model for implementing a security management program. The models and standards based frameworks each have their own faults. They do however have exponentially more benefits than trying to develop something on your own.
Is anyone going through a current implementation? Which model or framework are you using and why? I'd love to hear what's working well or if there have been struggles. Please share your experiences.