Cyber Security on a small budget

It’s often felt that large companies have a distinct advantage over smaller ones as they have significantly larger budgets to help invest in people, process and technology. Smaller companies often lack the level of investment but have some distinct advantages over their larger counter parts. To name just a few, they:

• Lack the organisational complexity – it’s often easier to make a decision and implement change;
• Don’t have the large and sprawling technical infrastructure;
• Aren’t having to contend with a multitude of legacy infrastructure and systems;
• Are able to embrace new trends and adapt more quickly.

For Cyber Security to be effective in any organisation you need support and buy in from the top. A lack of senior level backing will undermine what you’re trying to achieve within any size of organisation.

Given a limited budget and a lack of expertise where can you start within a small organisation and is it possible to level the playing field?

Building the foundations

I’ve often seen a rush to invest in technology to solve the security challenge. The root of this is likely attributed to many people within the industry having a background in technology (myself included). I’d start out building out an Information Security Management System (ISMS). This is the foundation by which your wider services will be developed.

Information Security Management System (ISMS)

There are various frameworks and standards of best practice readily available. Consider adopting the likes of ISO27001 or the NIST Cyber Framework. It’s also worth considering if there is or will be a future certification requirement.

There are some key actions that you need to take:

• Understand what already exists – can you utilise an existing foundation or do you need to start from scratch;
• Develop a risk management capability or integrate into an existing one – ensure it is fit for purpose;
• Understand the risk appetite of the organisation – check that the stated appetite reflects the culture of the organisation;
• Determine and prioritise what you are trying to protect – don’t try to secure everything equally;
• Identify compliance and regulatory requirements;
• Given the resources available, set out a strategy that will enable you to bring risk within appetite;
• Develop action plans that will support the successful delivery of your strategy.

Involve others in the journey and make sure that you manage expectations. It’s widely recognised that incidents will happen, avoid offering something that you can’t deliver on. There’s an interesting article on zdnet that I suggest reading showing the average tenure of a CISO is just 26 months due to high stress and burnout. Not managing expectations from the outset won’t help!

Setting out your security programs

Follow the action plans you’ve set out in order to achieve your defined strategy. Consider adopting best practice standards. There are a multitude of useful resources readily available that you can look to adopt depending on the existing maturity of the organisation. The following are potential resources you may consider using:

• Cyber Essentials;
• CIS Controls List;
• ISO 27002;
• NIST 800-53;
• UK 10 steps to cyber security.

This is not intended to be an exhaustive list. If you’ve got any resources that you rate, then let me know. As you go through the list of controls you’ll notice many can be delivered without the need for a significant capital outlay. With the continued adoption of cloud-based services smaller companies are becoming increasingly able to achieve higher standards of security through utilisation of services such as Software as a Service (SaaS).

If you’re starting from a very low baseline look to build out some of the basic controls first. Consider the likes of Cyber Essentials or choosing a standard such as the CIS Controls and starting out with implementation of the basic controls first.

Starting from scratch

It can feel daunting to be setting up an ISMS or equivalent when nothing or only a very basic foundation exists. It’s always worth considering if there are off the shelf solutions readily available that can be purchased and adapted to your needs. For instance:

• ISO toolkit / ISO27001 compliant policies are available;
• Security as a Service (SECaaS).

It's far easier to acquire existing resources and adapt them to your requirement than to start from the ground up. Consider when the resources you produce (such as policies / standards) are good enough rather than waiting for them to be perfect. These documents will evolve and mature along with the security capability within your organisation.

When starting out remember it takes time to implement and build out a security program. Your focus should be on continuous improvement rather than quick fix. Over time you will have the opportunity to incrementally raise the minimum-security standards across your organisation.

Resources

It’s been widely recognised that there are a shortage of people in the Cyber security field. The gap between companies hiring needs and available candidates is expected to continue growing. This combined with the high average salaries makes recruiting and retaining a suitable candidate particularly challenging.

Every organisation needs to have someone ultimately accountable for security in the organisation. Within small businesses individuals will often be balancing a number of different job functions. If you lack the budget to recruit a full-time resource consider supplementing what resource you do have through outsourcing to professional service providers. Security providers are increasingly offering a Virtual CISO as a service to companies that need security support but on a part time or adhoc basis.

Final Thought

The needs of every organisation are different and will vary according to various factors (internal & external) such as the expectation of customers and the compliance requirements in your respective jurisdictions and sectors. It’s possible to build out and run an effective security program in small to medium businesses on a budget. Focus on building the management system and equally consider people, process and technology.

You’ll need to manage the expectations of others as well as your own. Set realistic objectives and focus on incremental improvement / maturity over time.

It would be great to get your thoughts on the topics covered along with any experiences that you’ve had building out your own security program.