Cynthia Brumfield - Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework

Many, if not most, of the principles and practices of sound cybersecurity presented throughout this book are admittedly complex. They are also far easier to grasp and implement for large organizations, which typically have bigger budgets and multiple personnel to devote to IT, technology, security tasks, and training.

Numerous resources offer guidance to small and medium-sized businesses when implementing the NIST Cybersecurity Framework and adopting critical practices to protecting systems and information. Three in particular that are worth reviewing and keeping on hand are:

1. NISTIR 7621, Revision 1 Small Business Information Security: The Fundamentals, November 2016 at https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.
2. NIST Small Business Cybersecurity Corner at https://www.nist.gov/itl/smallbusinesscyber.
3. Cybersecurity Risk Management and Best Practices (CSRIC IV WG4 Final Report), Section 9.9 Small and Medium Business (370397) at https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf.

However, even these guides detail, albeit more simply, the same basic cybersecurity steps that are highlighted in this book developing risk assessments, mapping out and planning infrastructure protections, implementing intrusion detection systems, and so forth.

What this means, in short, is that there is no easy way to ensure systems and assets remain safe other than completing the complex, often tedious, and usually laborious, repetitive, and ongoing steps that are designed to provide protective layers and recovery processes for your organization.

With this caveat in mind, there are a few steps you can take as a small organization to move closer to the full range of cybersecurity practices needed as the complexity of protecting digital assets grows. Here are a few recommendations:

1. 1. Trusted Personnel Should Wear Multiple Hats: If your organization consists of only a small number of personnel, adapt some of the strategies listed below and in the other chapters so that a handful of trusted personnel can carry them out. You can assign the roles and responsibilities that are usually delegated across personnel in larger organizations to however many personnel you trust. For example, in devising an incident response team, which in a larger organization might rely on human resources, legal, public relations, and IT personnel, brainstorm how the discrete responsibilities of all those functions might be handled by a systems administrator and an office manager, for example.
2. 2. Focus on the Basics First: Perform a risk assessment to determine what controls and capabilities you have in place. Once gaps are identified, start remediating deficiencies. This assessment should cover basic cyber hygiene such as multi-factor authentication, separate administrative credentials, e-mail security, scheduled patching programs, firewall/perimeter controls, and host-based detection and response software. These foundational controls address the highest likelihood vulnerabilities that small organizations will have.
3. 3. Bring in Outside Help: When budgeting for IT and technical resources, advocate for funds that you can use to bring in outside help when needed. External cybersecurity consultants can help your organization figure out how to make changes that improve your security posture or assist in a crisis when all employees are overtaxed. Good cybersecurity consultants can help you establish practices ahead of time that can save you grief when an incident does occur and can also help you select your cybersecurity configuration so that the impact of security incidents can be lessened. Fees for external consultants can range from modest amounts to significant financial outlays if you wait to hire the consultants during a crisis.
4. 4. Gather Evidence and Materials to Advocate for More Security Resources: Make it a habit of staying on top of the adverse cybersecurity experiences of other organizations so that you can develop a cybersecurity resource arsenal to fight for more resources, whether personnel resources or funds for outside consultants. Network with your peers to find out what theyre doing to gather your evidence to advocate for more security resources.

There are several control frameworks available to address the more tactical elements of cybersecurity. One industry-recognized framework is the Center for Internet Security (CIS) Controls, formerly known as the SANS Top 20. This mapping demonstrates connections between NIST Cybersecurity Framework (CSF) and the CIS Controls Version 8.0. The CIS Controls provide security best practices to help organizations defend assets in cyberspace.

Use this mapping to help identify specific technical implementations, modifications, or best practices that can aid in meeting a respective NIST CSF Subcategory Control. (Please note that not all CIS elements map directly to the NIST Framework.)