Risk and Threat modeling (yes, they are different) are two effective ways to start building out the requirements for your security program. Solutioning through scenarios is like that, with a little more table top exercise sprinkled in. Also, learn how an old model from my Telecom days, the FCAPS model, plays a vital role in how I approach problems and come up with solutions.

Companies go through different rates of growth and have different information security needs as a result. Learn about a few common stages of growth, signs that your company might be in it, and what you might be able to accomplish. When the business doesn't want security to get in the way of getting a product launched, focus on the corporate side. Once you've made impact, start building components the company can consume to start doing things right in a standardized way. Ultimately, you'll find yourself writing policies and engineering technical solutions to enforce them. It's a never ending challenge, but it's so rewarding!

Right off the heels of BlackHat, DEFCON31 and BSidesLV, also known as Hacker Summercamp, hear about an impromptu conversation at dinner with a stranger around how to become more "Security" minded using the FTC's Start with Security guidance, making the jump from IT to Security a real possibility!