I’m often asked if cybersecurity standards are important to SMBs. You bet your sweet bippy! I’ve seen this story play out more and more the past several years:
One of our clients frantically contacts us because one of their customers wants to know
- if their company adheres to any security standard like SOC 2, NIST, ISO, PCI, HIPAA, GDPR, etc. and, if so,
- can they please have an overview of the associated cybersecurity policies?
Our client begins to panic because, while they had talked about doing something, they never got to it (even with our prompting and pushing). They put cybersecurity low on their priority list or, in some situations, chose not to follow any standard because they thought the risk was irrelevant to their business. Now, they find themselves, not a victim of a hack, but the sufferer of the business reality of losing a customer or prospect because they are not up to a security standard the market demands.
Why security standards are important to SMBs
2. The story above illustrates that there is a business upside to compliance standards. Pragmatic business owners see IT as a means to an end. Their goals are simple: keep my people productive, keep the enterprise running, and keep valuable data safe. In other words, use IT to enable me to competitively serve clients and make money.
What do you think the reaction would be from a client if you could NOT answer their question right away and/or prove that you were not just blowing smoke? Do you think they’d lose confidence in you? Do you think that they’d start questioning the depth and validity of other products and services you provide them? Do you think they want to put their own clients and their reputation at risk?
On the other hand, what reaction would you get if you provided a holistic philosophy and supporting model that outlined your approach to security in detail? Would they be impressed or at least feel comfortable that you lived up to their high expectations of you? Wouldn’t you rather outshine your competition? Compliance standards provide an opportunity for you to differentiate your firm’s care for customers, understanding of their needs, and your attention to detail.
I know that I want any edge I can get on my competitors.
What does it take for an SMB to achieve security standards?
Dealing with cybersecurity is on nobody’s fun list. While there are a ton of moving parts that affect nearly all aspects of your business (but, in a good way), it can be done—and much easier than you may think. I know because Waident has done it ourselves. We aligned all our policies and procedures with the industry-leading NIST cybersecurity standard framework. The Framework is based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it fosters communications among internal and external stakeholders by giving our clients and us a way to talk about risk in a business context. Most important, NIST gives us the framework and credentials to keep Waident and our clients secure, more resilient, and ahead of the coming compliance squeeze.
The Framework helps organizations better understand, manage, and reduce their cybersecurity risks. It helps determine which activities are most important to assure critical operations and service delivery so you prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, operating units, and executives, as well as, customers and suppliers.
I’ll outline NIST and its 5 areas in this post. In upcoming posts, I’ll provide details for each area and how Waident is applying NIST to protect clients from cyber threats.
“Cybersecurity is just not a tech challenge, solved only in acquiring a technical solution. It is a business issue that must be addressed comprehensively through people, processes, and technology. The NIST CSF provides a comprehensive and programmatic approach to bridge the organization’s businesses objectives with their security objectives, integrates with other industry security control standards, and is flexible so that any organization can adapt to best suit their needs.”
Abby Daniel, Amazon Web Services (AWS) Public Sector Manager for Business Development
Who is NIST – The Industry Standard for Cybersecurity
First, who is NIST? NIST is an acronym for the National Institute of Standards and Technology (NIST).
NIST, founded in 1901, is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. You may have heard of NIST because one of its many programs include the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement.
What is the NIST Framework
The NIST framework has 3 central components. 1. Core, 2. Tiers, and 3. Profiles.
The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes. The Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. These Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
Identify – Inventories the company’s systems, people, assets, data, and capabilities risks. Then, it structures the organization’s approach to managing cyber risks so it can prioritize its efforts, consistent with its risk management strategy and business needs.
Protect – Outlines safeguards that ensure you can deliver critical operations and service delivery while enabling you to limit the impact of a potential cybersecurity event.
Detect – Describes the activities and tools that identify the occurrence of a cybersecurity event.
Respond – Includes the appropriate activities that address a detected cybersecurity incident and contain its impact.
Recover – Identifies appropriate activities to maintain resilience and restore any capabilities that were impaired due to a cybersecurity incident.
The Framework Implementation Tiers provide context on how an organization views cybersecurity risk management. The Tiers help organizations consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.
The Framework Profiles afford an opportunity to identify areas where existing processes may be strengthened or new processes implemented. The Profiles, when paired with the Framework’s easy-to-understand language, strengthens communication throughout the organization. The pairing of Framework Profiles with an implementation plan allows an organization to take full advantage of the Framework by enabling cost-effective prioritization and communication of improvement activities among organizational stakeholders, or for setting expectations with suppliers and partners. The Profiles and associated implementation plans can be used to demonstrate due care to stakeholders like the customers mentioned in my opening comments.
The Framework is guidance. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs.
Conclusion: Working Together to Implement NIST
Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework is not implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations.
Because the Framework is outcome-driven and does not mandate how an organization must achieve those outcomes, it enables scalability. A small organization with a low cybersecurity budget, or a large corporation with a big budget, are able to approach the outcome in a way that is feasible for them. It is this flexibility that allows the Framework to be used by organizations that are just getting started in establishing a cybersecurity program, while also providing value to organizations with mature programs.
NIST equips Waident with the tools to help our clients implement a host of cybersecurity standards in a way we could not in the past. We can now manage the entire process and provide the policies to customize for your business. You will quickly be more secure and have the reports and documentation that lets your customers know that you have their “cybersecurity backs.”
We do the heavy lifting, so you don’t need to, which makes us happy because security is becoming a big deal to all businesses, big and small.
Got a question, an opinion, or want some advice? Shoot me an email (jahlberg[at]waident.com), give me a call (630-547-7011) or read our latest posts.