It is a pity that this conversation lacks comments.. Please let me fix that. I will start with the Pillars work prioritisation. Q: What must be done first? A (Practitioner perspective) - Whatever can be done to address critical risks. For example, if AAA allowing access to some TS data is weak, fix it first. No business owner would allow leaving it on a backburner because of a great a ‘bow-tie’ roadmap. Next step? Assess the small step, learn your lessons and extend. Trainer perspective - it helps to visualise. Let’s imagine an art collector house with a broken window (single factor authentication). Would you replace it with similar or with a double glazed, tempered glass and steel a deadlock (hardware token with a built-in HSM users can only get after retinal scan)? The second option is better but comes a price tag. Practitioner perspective: Price tag is mostly labour. So gained experience would allow repeating the solution for S and even PROTECTED. A bit of a conclusion: Roadmap is very much enterprise specific and must account for most valuable assets, risks and real delivery experience.