- Are we ready to take security seriously?
- Do we have the right policies in place to educate, guide and hold our workforce accountable?
- What are our strengths, weaknesses, opportunities, and threats?
- Do we have the right people in place, both internally and externally, to make a move to a more secure footing?
- Do we understand the potential cost of doing nothing?
- Are the experts we are paying for doing the job?
For many, especially in the SMB space, the answers to these questions can be an eye opening experience. No one is too small to be noticed. No industry escapes the scrutiny of those of malicious intent. The key to a successful security policy is to understand that it is going to change. It has to be able to evolve along with the threats that are present - this means it has to be regularly re-evaluated. There is no such thing as a once-size-fits-all policy. Even the NIST Security Framework has components that may or may not apply to your organization.
Like in any 12 step program, the first step is accepting that you have a problem. We ALL have a problem. Do we have the willingness to address it? The important thing to understand is that you don't have to go it alone.