Management and organization buy-in is important. Initially I would say
it would be helpful to do some internal education and awareness, which
helps with the first point. Identify a few things you can improve upon
right away. Some small obtainable achievements would help justify the
team if the team can point to some early success. Then build up that.
FIRST.org, which is the original security team community, has a wealth
of very detailed guides and information you might look over: