You have to start looking for the quick wins -the things that are already public facing, the things that have less of an impact on the overall agency security posture. Then you have the bigger wins, which require a lot more movement like the commodity processes -things like email, productivity suites, the bulk data that's going to be out there that you can't really say all of this is going to be very low risk or very high risk. It fall somewhere in the middle. You just have to pull the band aid off and start moving things.
CISO, Nuclear Regulatory Commission