“Implementing a Security Roadmap should be your number one priority from a cyber security perspective." – Urfaan Azhar, Microsoft Strategist 

Define and implement key aspects of your security strategy all within the Microsoft 365 Platform. Let’s get you started with these 11 key steps: 

1. Understand why you need a Security Roadmap  

Having a planned Security Roadmap helps you stop being reactive, making sure you adopt a defined approach to your IT security. Using roadmaps aligns your security processes to business goals and objectives, improving your overall security posture. 

They give you an understanding of where you are today. This sets you on a journey that helps you continually monitor, assess and improve your cyber security. This is a never-ending task - security threat is relentless and ever-evolving.  

2. Set yourself a timeline 

Start with 12 months and spend half a day, quarterly, to review your progress and update your roadmap(important you make it manageable). A working document that is evolving and adapting to the current threat landscape is a powerful tool when it comes to mitigating risk. 

3. Pick your battles 

If you decide on a Zero-Trust approach - write that down and commit to it, explain to key stake holders what it means and then pick some quick wins. The image below illustratesMicrosoft’s Zero-Trust Security approach. For those new to this approach, we recommend 3 core components to get you started. Protecting your people(Identity), the devices they use (endpoints) and the information/data they access.


4. Measure where you are today

Use tools like Microsoft’s Secure Score and Compliance Score, we also have a PTGSecurity Form (fill out the form and we will send you a Security Scoreboard). Microsoft's Zero Trust Maturity Model Assessment Tool measures where you are today offering you a verified starting point. Having a bad starting score isn’t bad, as long as you take action to improve it! 

5. Measure yourself against compliance requirements 

What are your compliance and regulatory requirements? E.g., ISO 27001, Cyber Essentials, internal GDPR and any other IT/Information policies. Measure yourself against the key elements of these requirements. The MicrosoftCompliance Centre has some great templates you can use to get you started.   

6. Define key milestones 

Go for quick wins that have the biggest impact, such as end-user training and MFA. Below is an example that we recommend you complete as a minimum - 4 key steps over the next 12 months,1 step each quarter. 

  • Step 1 – Security Management – Security Roadmap, M365 TenantHealth Check, Awareness Training
  • Step 2 - Identity Access Management – Multi-Factor Authentication 
  • Step 3 – Threat Protection – Mobile Device, MobileApplication, Unified Endpoint Management
  • Step 4 – Information Protection – Information Protection 


An independent assessment of your cloud platform is imperative. This ensures you meet best practices. When we conduct a Microsoft 365 Tenant Health Check, that’s when we often find the most gaps and issues.

7. Don’t use end-users or senior leadership as an excuse  

Many blame end-users or senior leadership resistance for not implementing security practices. Your users and senior leadership can’t stop your organisation from utilising appropriate health and safety measures, so don’t let them do the same to CyberSecurity. The cyber threat is real. You must attempt to mitigate risk and prepare to recover from the inevitability of a breach. 

8. Outline a breach/leak response  

Plan and outline how you would report this to the ICO, your Cyber Insurance company, affected suppliers/customers and colleagues. Key stakeholders like Operations, HR, PR/Marketing will also need to be involved to limit the operational impact and reputational damage.   

9. Record your plan as it develops, even if it changes or pivots 

If you plan to implement Information Protection and then decide against it, record the changes and failures. This shows your intent and attempts to improve security.No organisation can plug all the gaps but showing this will help appease customers/suppliers or even the ICO in the event of a breach. 

10. Don’t do it on your own  

Get buy-in from others and give them ownership. If you’re an SMB get the MD or Operations Director on board. If you are Midsize or Enterprise, then the Security Officer or CISO needs to lead. Bring together key people who’ll help overcome resistance.  

11. Write something down today

Bring all of your planning together and title it ‘Security Roadmap’. Get the decision-makers to pledge allegiance to Zero Trust principles: verify explicitly, use least privileged access, and assume breach. This will create a fundamental shift in mindset. 

Technology moves fast, we do too and so can you. To get started on your journey, talk to us.