How should Small or Medium Enterprise (SME) companies tailor larger cybersecurity frameworks (CSF) to their operating models?

2.6k views1 Upvote4 Comments

VP of Product Management in Software, 11 - 50 employees
I’ve wondered whether the frameworks are only built for these larger corporations, or if there is a simpler way to do it. Because right now it seems like too much for a smaller company. If there are 20 or less people, they don't have the time.
Board Member, Advisor, Executive Coach in Software, Self-employed
The way I've always looked at it is that how you apply them has to be right-sized. It's the application of the framework to the problem, size, scope, organization, or the vertical. That's the tailoring. It’s like buying a suit: I'm a 42 regular, but if a size 42 suit is not tailored for me, it’s not going to fit exactly right. 

Start by asking, how does this SMB take the CSF? I could start with just: digest, respond, recover. Three things under each of those studies would be good for a five person shop. They probably don’t need anything more than that. So it's a matter of how you scale these up or down while still leveraging the structure.
Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees
I've recommended simplified versions to some smaller clients that consist of just five categories. If they make decisions that they believe are going to put them at risk, they open up their OneNote to say, "This is the decision, this is the category, this is when I will look at it again.” Then they've implemented this CSF and they have risk registered. That's all I can do right now. If they revisit that once a month, they're probably in a better position than the average 15-person company and that's okay for now.
CIO in Manufacturing, 1,001 - 5,000 employees
I'll reinforce that the SME mindset should be to start very small and expand over time. To Malcolm's point, pick a few activities from a few domain areas and focus on being able to do them well. For a manufacturing company with many assets, the Identify domain & practices are a critical focus area. You have to know what you have to manage and the environments are very dynamic. Tools help solve this pretty easily but there has to be continuous management. Respond & Recover practices are must haves as well.

Content you might like









2.8k views1 Upvote1 Comment

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.5k views132 Upvotes319 Comments

Way more involved6%

Somewhat more involved47%

A bit more involved30%

Security’s current role is adequate10%

A bit less involved4%

Somewhat less involved1%

Way less involved1%