When my father first taught me to drive a motor car, I used to have trouble with all the levers (brakes, accelerator, steering wheel, indicators and gear lever) and how to use them in a synchronised way to get the car moving along smoothly and more importantly stopping. Being able to drive, he used to say, is not about the physical activity (that will become 2nd nature), driving carefully so people are happy to be in your car and you can get from source to destination is really about your attitude to driving.
What he meant was that successful driving is about how you manage your speed, maintain focus, adjust to your surroundings, are aware of obstacles, manage risk, adjust to conditions. However, more importantly it is critical you follow the same procedures for conducting hazardous tasks such as changing lanes, driving on motorways, turning across traffic, approaching pedestrians and cyclists, or driving in darkness – whether you are in heavy traffic or the only one on the road.
Similarly, the approach to Security should be the same. It is not about the number of firewalls you have, the software you run, how often you force-change passwords or the implementation of 2FA. All these aspects are important to securing your infrastructure and data however, to optimally protect your most valuable assets you need a security framework and a consistent set of processes and procedures. The Australian Signals Directorate (ASD) have such a framework called Secure-By-Design.
Secure-By-Design provides a ubiquitous and proactive framework for building a complete security approach. Like other “By-Design” methodologies it considers security throughout the design and development process, and ensures ongoing vulnerability management with built-in feedback to keep ahead. The details of the framework are here:- https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/secure-by-design/secure-design-foundations