If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

Security Strategy & Roadmap Security Frameworks (NIST, CIS, CSF)

2k views2 Comments

Sort by:

Principle Consultant in IT Servicesa year ago

I love NIST frameworks, but if you are just getting started, I prefer "Protecting Sensitive and Personal Information from Ransomware" from CISA as most organizations can get behind protecting against Ransomware. Check out https://www.cisa.gov/resources-tools/resources/protecting-sensitive-and-personal-information

Director of Information Securitya year ago

I would prefer to start with NIST framework to ensure comprehensive design of cybersecurity practice across the security with objective set to achieve business goals. Will need to first create the roadmap and structure to enhance security across the organization.

Content you might like

‘AI’ Business Model – With many components flowing into the AI domain (cost, data, E&C, people, value, strategy, duplication of everything, etc.), I’ve started to think about splitting out ‘AI’ from the operating model and putting it into a separate legal entity. This way, I could manage a) risk and compliance, b) cost, c) resource allocation, d) governance, e) IP, f) revenue generation, etc.

Of course, this isn’t new in general, but I’m especially interested in how this approach could help with the ongoing challenge of ensuring compliance with data privacy and regulations related to LLMs and data access/usage over time.

My question: Is anyone else thinking about this, or has anyone already done it? I know there are examples in the literature, but I wanted to float this here for general comments and discussion.

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Has your company pursued any cybersecurity accreditations or certifications strictly for cyber insurance policies? (select all that apply)

Yes, we have pursued new accreditations or certifications strictly to help reduce our cyber insurance premiums25%

Yes, we have pursued new accreditations or certifications strictly to obtain cyber insurance54%

No, we have not pursued new accreditations or certifications strictly for reasons related to cyber insurance38%

We do not have cyber insurance10%

Not sure1%

View Results

How are you currently managing SIEM costs? Have you found effective ways to actually reduce storage costs for your SIEM?

What is the top data governance issue?

Limited resources11%

Siloed data40%

Lack of leadership23%

Poor data quality & context18%

Lack of data control5%

Other (please explain in the comments)