Stan Gatewood, CISO of the University of Georgia, suggests the following steps to set up a newor newly strategicinformation security program. He suggests the steps: Identify executive leadership, select a point person, define goals and prioritize goals. Establish (or re-establish) the security organization. Revise existing policies and develop new ones as needed. Measure outcomes with metrics to realize true decision-making and improved performance, he says. For example, IT security metrics must be based on goals and objectives.”]