Stage 3 is mainly for larger SMBs and those with information “crown jewels” they need to protect. It is where organizations start to broaden out the range of security controls they apply, dealing with a wider range of threats to their more complex operations and systems. As with the transition from Stage 1 to Stage 2, the transition from Stage 2 to Stage 3 should not be undertaken until the Stage 2 controls have been embedded in the organization and shown to be effective. As mentioned at the start of this paper, large organizations can take Stage 3 a long way. There is no end to the security measures they can apply to keep the large attack profile they present resilient to all the attacks they face. This paper is not aimed at helping them. It is aimed at those who have got what they can out of Stage 2 and find they still have some room for security improvements. Organizations that are ready to look at what else they might want to be doing over and above the Stage 1 basics, and want to know how to go about shaping the next stage of their security journey.