Participants at industry conferences and events often ask where the right place to start implementing security is. This is similar to starting off a talk with a doctor by asking “What medicine should I take?” The answer is going to be more questions. This article presents three questions to ask yourself before starting a security implementation.
As an active speaker at industry conferences and events, participants often come up to Jack Danahy and ask him where the right place to start implementing security would be.
Among those looking for the answer are new CSOs overwhelmed by the prospect of overhauling an organization's security infrastructure and business people thinking of how to cost-effectively improve security. What they all have in common is the search for a simple answer to a complex issue, and they are all asking the wrong question.
"What product should I start with?" is a very common first question, but it has about as much use as approaching a doctor and asking, "What medicine should I take?" Unless you are displaying some extremely obvious symptom, the answer is likely to come in the form of additional evaluation questions, and likewise with security implementations.
Before prescribing a cure, the patient, in this case the organization, needs to agree to a self evaluation. There are, at a minimum, three core questions that every organization, c-level executive, security consultant and others must be able to answer honestly before receiving a proper security diagnosis.
Why are you doing this?
What are you trying to secure?
What will happen if you don't do this right?
This article gives a quick explanation of these questions and how to go about answering them for your organization.
