How should Small or Medium Enterprise (SME) companies tailor larger cybersecurity frameworks (CSF) to their operating models?

Governance, Risk & ComplianceRisk Management
2.7k viewscircle icon1 Upvotecircle icon4 Comments
Sort by:
CIO in Manufacturing4 years ago

I'll reinforce that the SME mindset should be to start very small and expand over time. To Malcolm's point, pick a few activities from a few domain areas and focus on being able to do them well. For a manufacturing company with many assets, the Identify domain & practices are a critical focus area. You have to know what you have to manage and the environments are very dynamic. Tools help solve this pretty easily but there has to be continuous management. Respond & Recover practices are must haves as well.

Lightbulb on2
Director of Security Operations in Finance (non-banking)4 years ago

I've recommended simplified versions to some smaller clients that consist of just five categories. If they make decisions that they believe are going to put them at risk, they open up their OneNote to say, "This is the decision, this is the category, this is when I will look at it again.” Then they've implemented this CSF and they have risk registered. That's all I can do right now. If they revisit that once a month, they're probably in a better position than the average 15-person company and that's okay for now.

Lightbulb on1
Board Member, Advisor, Executive Coach in Software4 years ago

The way I've always looked at it is that how you apply them has to be right-sized. It's the application of the framework to the problem, size, scope, organization, or the vertical. That's the tailoring. It’s like buying a suit: I'm a 42 regular, but if a size 42 suit is not tailored for me, it’s not going to fit exactly right. 

Start by asking, how does this SMB take the CSF? I could start with just: digest, respond, recover. Three things under each of those studies would be good for a five person shop. They probably don’t need anything more than that. So it's a matter of how you scale these up or down while still leveraging the structure.

Lightbulb on1
VP of Product Management in Software4 years ago

I’ve wondered whether the frameworks are only built for these larger corporations, or if there is a simpler way to do it. Because right now it seems like too much for a smaller company. If there are 20 or less people, they don't have the time.

Lightbulb on2

Content you might like

Which vendor solutions are being considered to "read, identify and redact information" in unstructured data sets? I'm specifically looking at solutions that can mask / redact or hide content within documents, that allow documents to be consumed but certain piece of information to be hidden.

How do you think AI will disrupt business across industries? Add to my list: 1. Content creation 2. Photos and video production 3. Basic coding and debugging 4. Strategic analysis to be highly complimented 

Read More Comments

As technology leaders, where are you seeing the most challenges or gaps?

Executive Support10%

Projects vs. Operations68%

Building a culture of Security15%

Team Completeness5%

View Results

We have a servicing organization within IT segmented by applications and has 3 different director teams supporting overall pieces which is creating confusion, misalignment and becoming harder to support one business area.  Components considered within this org are: PEGA products (NCompass, G&A), Genesys Cloud,  Google, Member Portal and Member Mobile.   How should i look at proposing a new target state Org considering all these aspects/products? Any ideas?

What's your most indispensable cloud infrastructure tools to use in addition to what you get from GCP, AWS, Azure?

HashiCorp (Terraform, Vault, Packer, etc.)22%

Cloud infra automation (Ansible, Puppet, Chef, etc.)56%

APM (Datadog, AppD, SignalFX, NewRelic, etc.)10%

Others?10%

View Results