Often, the hardest part of beginning is getting senior management buy-in. Secret #1: You must present security expenditures as a cost of doing business, similar to equipment purchases and postage. If the threat does not seem real to your executives, try explaining in terms of these real world cases caused by lack of a security policy.
After the "go ahead," you need a clear idea of the task at hand, and then a breakdown of that task into manageable pieces. It doesn't matter how many you have or how you do it, as long as it makes sense to you. Secret #2: You can't just "write a security policy" and be done; it is a process.