How should Small or Medium Enterprise (SME) companies tailor larger cybersecurity frameworks (CSF) to their operating models?

Governance, Risk & ComplianceRisk ManagementPeople & Leadership+1 more
2.6k views1 Upvote4 Comments
VP of Product Management in Software, 11 - 50 employees
I’ve wondered whether the frameworks are only built for these larger corporations, or if there is a simpler way to do it. Because right now it seems like too much for a smaller company. If there are 20 or less people, they don't have the time.
2
Board Member, Advisor, Executive Coach in Software, Self-employed
The way I've always looked at it is that how you apply them has to be right-sized. It's the application of the framework to the problem, size, scope, organization, or the vertical. That's the tailoring. It’s like buying a suit: I'm a 42 regular, but if a size 42 suit is not tailored for me, it’s not going to fit exactly right. 

Start by asking, how does this SMB take the CSF? I could start with just: digest, respond, recover. Three things under each of those studies would be good for a five person shop. They probably don’t need anything more than that. So it's a matter of how you scale these up or down while still leveraging the structure.
1
Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees
I've recommended simplified versions to some smaller clients that consist of just five categories. If they make decisions that they believe are going to put them at risk, they open up their OneNote to say, "This is the decision, this is the category, this is when I will look at it again.” Then they've implemented this CSF and they have risk registered. That's all I can do right now. If they revisit that once a month, they're probably in a better position than the average 15-person company and that's okay for now.
1
CIO in Manufacturing, 1,001 - 5,000 employees
I'll reinforce that the SME mindset should be to start very small and expand over time. To Malcolm's point, pick a few activities from a few domain areas and focus on being able to do them well. For a manufacturing company with many assets, the Identify domain & practices are a critical focus area. You have to know what you have to manage and the environments are very dynamic. Tools help solve this pretty easily but there has to be continuous management. Respond & Recover practices are must haves as well.
2

Content you might like

Which leadership style do you believe is most effective in your organization?

People & Leadership

Autocratic5%

Transformational42%

Servant15%

Laissez-faire6%

Democratic8%

Coaching20%

Others3%


144 PARTICIPANTS
2.8k views1 Upvote1 Comment

What steps are must-haves to ensure data security in automated processes?

SecurityStrategy & Architecture
294 views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
43.5k views132 Upvotes319 Comments

How do you help someone gain skill sets if they resist learning something new?

Peer InsightsPeople & LeadershipRelationship Management
384 views

Do you feel like security’s current role in your org’s generative AI initiatives is adequate? Or do you think the security team(s) should be more/less involved?

Artificial Intelligence & Machine Learning (AI/ML)Governance, Risk & ComplianceSecurity Strategy & Roadmap

Way more involved6%

Somewhat more involved47%

A bit more involved30%

Security’s current role is adequate10%

A bit less involved4%

Somewhat less involved1%

Way less involved1%


203 PARTICIPANTS
1.4k views