Imagine you are tasked with improving the security posture of an organization. What approach would you take?