For small and medium organizations, implementing a formal security program can see like a huge task. However, breaking this into small steps can help make that goal seem more attainable. The CIS 20 security controls is a framework that every SMB should begin implementing. Under CCPA, organizations that are following a proven framework, will be exempt from some of the litigation liabilities. CIS 20 is one of the frameworks that California attorney generals have accepted in the past. If you don’t have a security program in place, your organization is like tacking the problem in an ad-hoc manner. Should an attack happen, being organized will give a much greater attempt of surviving.