Best bang for buck security initiatives

If you are a CISO or even a security analyst what are some of the best ways to make a visible impression and change the risk profile of your organisation ?

Well here are some suggestions:
- conduct security awareness training customised to business unit processes.
- identify your key business processes and systems by interviewing business unit leaders
- perform a risk assessment of the top ten riskiest business processes and top ten systems for each.
- pick a key system, vulnerability scan its infrastructure and present the results with proposed fixes.
-identify a list of projects underway and risk assess the top ten riskiest
-engage someone to identify and test your internet facing web applications
- talk your infrastructure people into doing an inventory of devices on the network
- monitor outbound web traffic for botnet command and control communications
- benchmark patch levels of 3rd party apps on top of desktop standard operating system SOEs

Well that's the end of my brain dump ! Hope it helped you out with some ideas!

What are the CISO's most useful instruments ?

So you want to conduct a symphony of information security within your organisation? Well what are the instruments you will use in your orchestra? I suggest you might want to look for or plan the creation of the following:
- audit issue register (lead violin, sometimes a bit too screechy)
- enterprise risk register
- significant business unit risk registers
- compliance requirement register ( the timpani )
- mapping of compliance requirements to your Information Security Management System
- control testing Management reports and database
- management reporting template
- existing enterprise security plan and perhaps security plans of significant business units
- list of business units by criticality
- list of business processes by criticality within business units
- list of business applications by criticality with function descriptions
- current security budget
- business case template and submission procedures
- document map of ISMS with status of documents within it (approved, under review, drafted, not started)
- organisation chart
- list of security projects with budget and status
- list of business projects by criticality to business success
- enterprise security architecture ( well at least the "zone model" with zones mapped to examples in the existing environment )
- data classification scheme