The T approach means to go horizontally (breadth-first) across the company identifying its risk surface, and evaluating the probability and impact of each threat and risk. Then go vertically (depth-first) thinking how to implement security controls to really reduce the probability of the most important risk happening and reducing the impact in the case it happens
When this is done with a risk or group of similar risks, we continue with the next risk.
When this exercise was done in a big retail company, they identified that the biggest risk was to be infected by ransomware and that it affects their operations.
After identifying the risk, they started researching how they could be infected and impacted by ransomware. They identified the different infection vectors : email, web, usb, being email the one with the biggest probability.
They focused in the email infection vector. They started identifying and thinking which security controls they could apply to each layer to reduce the risk: in the external firewall (blocking known malicious IPs), in the email secure gateway (URL rewriting, sandboxing, reputation lists…), in the anti-malware software (updates, signatures), in the EDR (custom rules), in the operative system (blocking macros in documents downloaded from the Internet), in the domain controllers (reducing domain user accounts), etc.
They then made a plan to implement these security controls and leaded their implementation working together with the different IT areas.
If you are curious, you can check this article about security controls against ransomware.
The main idea is that it is much better to focus on the most important risk and work to eliminate or reduce it until you have it under control, than try to just define policies and go superficially about the security controls of your company, trying to reduce all the risks, but not implementing really effective security measures.
After implementing the security controls related to prevention, detection and reaction, against the most important risks, it is a good idea to validate them. An option is to hire an external red team and request them to try to hack the company simulating to target the risk you identified. If a really good red team provider tries to do this, you would be able to see how easy or difficult your security controls can be circumvented and in the case of breach, if we are able to detect it and how fast.
You can read more about red teaming in why to hire an external red team.