If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

Security Strategy & RoadmapGovernance, Risk & Compliance
2k viewscircle icon2 Comments
Sort by:
Principle Consultant in IT Servicesa year ago

I love NIST frameworks, but if you are just getting started, I prefer "Protecting Sensitive and Personal Information from Ransomware" from CISA as most organizations can get behind protecting against Ransomware. Check out https://www.cisa.gov/resources-tools/resources/protecting-sensitive-and-personal-information

Director of Information Securitya year ago

I would prefer to start with NIST framework to ensure comprehensive design of cybersecurity practice across the security with objective set to achieve business goals.  Will need to first create the roadmap and structure to enhance security across the organization.

Content you might like

We implemented Oracle HCM recently including Redwood.  Defining the long term plan for support, we face challenges with our Oracle Security knowledge depth specifically (defining and maintaining roles/ SOD/ SOX etc). Is there anyone who has experience in setting this up after a successful Oracle HCM plus Redwood implementation and would like to share best practices with me?

I'm looking for an open-source IGA solution, has anyone had any experience they can share?

Are CISA's current recommendations for preventing Maui ransomware attacks sufficient?

Yes, if followed correctly.39%

Unsure38%

No, there is still a significant risk.19%

Other (please tell us in the comments)3%

View Results

I'm interested in understanding how your organizations estimate the complexity of digital initiatives, particularly as a basis for applying appropriate project management governance. In other words, how do you assess initiative complexity in order to determine the level or type of governance needed?

Read More Comments

What's your most indispensable cloud infrastructure tools to use in addition to what you get from GCP, AWS, Azure?

HashiCorp (Terraform, Vault, Packer, etc.)22%

Cloud infra automation (Ansible, Puppet, Chef, etc.)56%

APM (Datadog, AppD, SignalFX, NewRelic, etc.)10%

Others?10%

View Results