If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

Security Strategy & RoadmapGovernance, Risk & Compliance
2k viewscircle icon2 Comments
Sort by:
Principle Consultant in IT Servicesa year ago

I love NIST frameworks, but if you are just getting started, I prefer "Protecting Sensitive and Personal Information from Ransomware" from CISA as most organizations can get behind protecting against Ransomware. Check out https://www.cisa.gov/resources-tools/resources/protecting-sensitive-and-personal-information

Director of Information Securitya year ago

I would prefer to start with NIST framework to ensure comprehensive design of cybersecurity practice across the security with objective set to achieve business goals.  Will need to first create the roadmap and structure to enhance security across the organization.

Content you might like

I'm looking to go for the Certified CISO certification & training as I'm an aspiring CISO. Any recommendations and additional certifications that I should be doing along with that? I already have CISSP. 

Read More Comments

AI deepfakes have cost the industry over $200M this year. As CISOs, can we scale detection fast enough, or is regulatory pressure the only way to drive adoption?

As enterprise AI adoption accelerates, how is your organization adapting its governance and risk oversight to keep pace?

Established AI governance framework with defined policies and oversight40%

Currently developing governance models and risk controls68%

Relying on existing security/compliance frameworks (no AI-specific policy)34%

No formal AI governance approach in place2%

View Results

We implemented Oracle HCM recently including Redwood.  Defining the long term plan for support, we face challenges with our Oracle Security knowledge depth specifically (defining and maintaining roles/ SOD/ SOX etc). Is there anyone who has experience in setting this up after a successful Oracle HCM plus Redwood implementation and would like to share best practices with me?

How many 3rd party antivirus products do you have on a user's PC?

None9%

0 - Rely on built in defender AV35%

142%

2 or more12%

View Results