If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

Security Strategy & RoadmapSecurity Frameworks (NIST, CIS, CSF)
2k viewscircle icon2 Comments
Sort by:
Principle Consultant in IT Servicesa year ago

I love NIST frameworks, but if you are just getting started, I prefer "Protecting Sensitive and Personal Information from Ransomware" from CISA as most organizations can get behind protecting against Ransomware. Check out https://www.cisa.gov/resources-tools/resources/protecting-sensitive-and-personal-information

Director of Information Securitya year ago

I would prefer to start with NIST framework to ensure comprehensive design of cybersecurity practice across the security with objective set to achieve business goals.  Will need to first create the roadmap and structure to enhance security across the organization.

Content you might like

How does your cyber compliance team stay informed about new and changing regulations impacting your organization's compliance? Additionally, how are cyber compliance teams tracking, measuring and reporting on internal compliance?

User experience should not be a priority in the context of security — do you agree?

Strongly agree10%

Agree57%

Neutral11%

Disagree13%

Strongly disagree6%

View Results

How are you currently leveraging your cyber-risk quantification methodologies at your organization?

Prioritizing cyber risks43%

Communicating to risk owners64%

Communicating to C-Suite56%

Communicating to Board24%

Aligning cyber risks with other risk practices15%

View Results

‘AI’ Business Model – With many components flowing into the AI domain (cost, data, E&C, people, value, strategy, duplication of everything, etc.), I’ve started to think about splitting out ‘AI’ from the operating model and putting it into a separate legal entity. This way, I could manage a) risk and compliance, b) cost, c) resource allocation, d) governance, e) IP, f) revenue generation, etc.

Of course, this isn’t new in general, but I’m especially interested in how this approach could help with the ongoing challenge of ensuring compliance with data privacy and regulations related to LLMs and data access/usage over time.

My question: Is anyone else thinking about this, or has anyone already done it? I know there are examples in the literature, but I wanted to float this here for general comments and discussion.

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Read More Comments