A good start is employing the Pareto Principle, better known as the 80/20 rule. It states that 80% of effects come from 20% of causes. This principle can also be applied to security testing, fixing 80% by focusing on the 20% causes. This can be achieved by identifying and classifying your applications on business criticality so that it´s clear which apps are vulnerable to eventual revenue or reputation loss. This distinction helps you to apply the appropriate security testing type (and assign the associated budget) to each application category, enabling you to be more efficient. Your current systems also need to be updated regularly with the latest security updates, so make sure your organization implements a patching process schedule, as well as a secure Software Development Life Cycle process. This ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort.