Do your research

- Security can mean different things to different organizations. Leadership at one organization may be comfortable taking chances that leadership at another organization wouldn't even consider to be acceptable. The challenge facing you is understanding how to frame your proposed solutions in a way that's not only going to resonate with your leadership but is also appropriate for your organization. In order to understand your organization, you're going to need to do a little research. Imagine this scenario. Due to a recent stolen laptop incident, you've decided to propose a laptop encryption project for the next fiscal year. You're in a budget meeting where the goal is to determine what stays and what goes. You propose your encryption project. The CFO asks, "Why do we need this?" You offer up all the expected answers. Laptop encryption is a best practice. We had an incident of a stolen laptop. Everyone else is doing it. Even after that, the CFO still doesn't have the answer that they're looking for. How do you approach this? What do you do? Well, if you're in healthcare in the United States, then HIPAA makes a pretty compelling case for encryption. In the European Union, GDPR also makes a compelling case for encryption in some circumstances. But what if you're in an industry where you don't have the same compelling requirements for encryption? Can you still justify the cost and effort of your project to leadership? Every organization has competing priorities and their internal information security program is just one of them. When you're considering a new security project or program, one intended to address a current challenge, you need to know more than just how to fix it. You need to know which fix is right for your organization. There are plenty of resources available to help you figure out the how, especially in the security vendor space. If a vendor has created a product designed to automate a security control, then I guarantee you that the vendor has resources that they would be more than happy to share with you. Even if you don't use their product to address that specific gap. For instance, vulnerability management vendors have made it their business to include the results of their research in their reports. Not only do they identify the vulnerabilities, but they provide details on the potential impact as well as ways to fix the problem. Analyst groups like Gartner, Forrester, and IDC have hundreds if not thousands of reports and white papers to help you make sense of the vendor's space. If you're looking for context and analytics, you can find it in resources like the Verizon Data Breach Investigations Report and the Privacy Rights Clearinghouse Chronology of Data Breaches. Frameworks like ISO 27001 and NIST 853 provide you with more information on security controls then you'll know what to do with. But when it comes to researching which fix is right for your organization, that's on you. Try this for me. I want you to write down one security challenge you're currently facing, something you'd like to fix as soon as possible. Got one? Good, now write down your top three recommendations for addressing that challenge. List them in order of your most favorite to your least favorite. Go ahead, pause the video until you're ready. I'll be here when you get back. Set that document aside for now. We'll come back to it in a second. As you work toward the solution that's best for your organization, it helps you to look at the big picture. Is your company publicly traded? If so, have you read the company's latest 10K report? A 10K is a really detailed report that public companies need to file with the Securities and Exchange Commission each year. You can download that report and every other report that your company has ever filed from EDGAR, the Electronic Data Gathering, Analysis and Retrieval system maintained by the SEC. If your company isn't publicly traded, then they may still have an annual report available either internally or on the company website. At the very least, you should be able to ask around for a mission, values, or vision statement. You should be able to answer these questions about your organization. What does my company do? How do we do it? Why do we do it? And who is our leadership team? Once you've answered those questions, I want you to revisit that security challenge you wrote down just a bit ago. Take a look at your answers. Given what you know now, would you add or remove proposed solutions? Would you change the order? Would you change your timeframe given what you know about the company? When researching how you'll address each new challenge, use this process to help you make sure that the solution you're proposing is one that will resonate with leadership.