The organization's management is responsible for its information security and must establish the security objectives and ambitions of the organization.
Evaluate your level of information security. Define where you are, and which level you want to reach. To achieve that, also mark your governance and security policies, to make your frame of action as clear as possible.
Human beings remain the most vulnerable link in any information security chain. Make your internal and external collaborators aware of the risks of information security. Make sure they assimilate your messages by testing their knowledge. They will be your first defense in case of attack.