As a security pro, you are not very popular because the perception is that you are going to tell staff how they did their jobs wrong, even though you know and your manager knows that this is not the case.
You are instructed by senior management to provide an assessment of the current situation and provide priority and direction to an organization whose train is quickly moving down the tracks on a set path. It's either jump on and try to share a seat with someone or let the train go by. I say, don't be afraid to jump on that train. You have been doing security for a long time and you know the right way and the wrong way to do things.
To begin with, it's imperative to gain public support from the CIO, CEO or your C-level sponsor. The employees, partners and entire organization needs to understand that security is important to senior management, or it will never be important to anyone below the C-level, and your program will never achieve optimum success.
Next, align your assessment and approach to an industry standard as this gives a security pro something to measure against. As of Oct. 1, there is even ISO guidance for health care organizations.
It also makes sense to leverage as much as possible what has already been done in the organization. Find your supporters and champions and praise and include them.
As well, stick to the facts and do not personalize gaps. Remember, we can't fix everything, so pick the most important things that must be done. Base this on risk to the organization and regulations that govern your business. Set a clear direction of where the organization needs to align with regulations and standards you choose. Outline what steps it will take to “move the dial,” and work with management. Together you can prioritize the work.
It takes time for those in an IT security role to be trusted, and you must demonstrate you are a team member with the same goal as your peers in management to improve business securely.