Cybersecurity for the Medium-Sized Business: Getting Started

smb suite

Cybersecurity for the Medium-Sized Business: Getting Started

This article was originally published by CI Security. To read the original posting of this article, click here.


Selecting a standardized framework is a critical step that every organization must eventually take to mature their cybersecurity program.


At a recent meeting with a customer of a medium-sized business, I encountered a security position that I have seen many times before: a small IT team tasked with managing both security and production, a limited budget, and an increasing concern about risks. With no formal InfoSec plan in place, the customer was looking for guidance on how to get more serious about cybersecurity and find ways to communicate needs to management.


To accelerate their intent to make progress on their security journey, let’s explore the options available and reasons why it’s necessary to implement a standardized cybersecurity framework.


Avoid Negative Outcomes with a Cybersecurity Framework


Packaged simply, “cybersecurity” events can be fairly categorized as having three negative outcomes:


  • Unauthorized records disclosure
  • Theft/extortion
  • Disruption of service


The challenge for the medium-sized business is reducing the likelihood and managing the potential impact of these outcomes. When organizations consider the outcomes they want to avoid, it becomes clear what priorities need to happen based on fiduciary impacts. Rather than starting from scratch to identify the steps to take, organizations like the one mentioned above are better off using one of the well-established cybersecurity standards and frameworks.


In my experience there are a few common business drivers for security. The following three drivers are the ones I see most commonly used by companies to select their framework:


  1. Compliance requirements: These include regulatory requirements such as HIPAA/DFARS/Sarbanes-Oxley, and industry requirements such as PCI-DSS.
  2. Customer expectations: To satisfy security queries that are today routinely made business-to-business, customer demand may drive compliance with standards like ISO 27001, SOC2, HITRUST.
  3. Risk management: Managing risk helps the overall goal of improving security to avoid the outcomes listed above.


The customer with whom I was speaking was trying to do #3 – good risk management. For teams that fall into that category, deciding which framework to follow can be confusing. There are many options and no mandate to follow any specific one of them. There is always an inverse relationship between security and convenience – not to mention budgetary restrictions – so it is important to decide on reasonable and actionable controls.


Customize Your Chosen Framework


There are a variety of frameworks available online for organizations to leverage for their cybersecurity programs. The most detailed framework is NIST 800-53, but anyone familiar with it can tell you it’s sure not convenient.


Instead, the NIST Cybersecurity Framework (CSF) is a good place to start. It is a functional model, classifying risk through the 5 phases of the NIST Lifecycle: Identify, Protect, Detect, Respond, Recover. NIST CSF is customizable and outcome-oriented, allowing the organization to determine how to best meet each outcome without being prescriptive about specific controls.


Another popular framework is COBIT, which takes a holistic business process-centric view of security, emphasizing stakeholders and roles that are organized into RACI teams (Responsible, Accountable, Consulted, Informed). The SANS Top 20 is another option providing concise controls based on current attack models, along with baseline configurations for hardening operating systems.


Regardless of the framework selected, medium-sized organizations have evolved their cybersecurity posture by going through the process of selecting and customizing a framework significantly.


Use the Framework to Assess Cybersecurity Risks


A best practice in selecting a cybersecurity standard is to speak with a consultant experienced with Focused Security Assessments, Risk Assessments, and Gap Analyses. This type of engagement baselines existing technical, management, and physical controls against the standard and provides corrective action as part of a report that can be shared with executives to demonstrate the status quo as well as goals toward an improved security posture. Even customers with strong technical controls in place often find the need to formalize written policies, align procedures with other departments, develop security awareness trainings, and other requirements that may fall outside of the typical IT workflow.


Additionally, the output of the gap analysis against a framework constitutes a “corrective action plan”. The results of the analysis and associated plan can then be used to service the increasing number of requests for security information by business partners, insurers, and third parties. In other words, assessing your organization against the NIST framework has an additional benefit of pulling together your “security papers”, which finance, health, and DIB (defense industrial base) are now required to collect, with organizations in all other sectors following suit.


Getting Budget with a Standardized Framework


A standardized framework will help your organization identify priorities, and areas that can de-prioritized. The framework can also be used to establish a foundation for getting budget for your initiatives. Using the context of the framework, industry standards can be used as benchmarks for budgetary requests. Risk management can be presented to the Board in a compelling way to establish common ground.


The customer I mentioned at the beginning of the article is still deciding on the next path of their security journey. Whichever standard they choose will be a more aware, organized, and (with some corrective action) better protected organization.


Need help with selecting a cybersecurity framework or standard? Our professional services team can help you identify the right framework for you, as well as provide critical customizations for your internal and external stakeholders.


About the Author: Steve Torino is a Information Security Expert and Cybersecurity Engineer based in Boston, MA. You can reach Steve on LinkedIn at

No Comments

Post a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Steve’s been with SMB Suite since 1998 and has been involved with nearly every aspects of the Company’s business as a strategist, professional services executive, cloud solutions architect, and senior consultant. In his current role, Steve is responsible for SMB Suite’s revenue and oversees the execution of ERP, CRM and BI projects for customers across a broad range of industries. Steve combines his expertise in MS Dynamics GP, CRM and other Microsoft products with a strong foundation in accounting and business to identify gaps and streamline customers’ processes. Prior to co-founding SMB Suite, Steve was previously Corporate Controller for MEHLE Behr and, prior to that, Audit Senior for Ernst & Young. Steve holds a Bachelor of Business Administration degree from the University of Texas at Arlington.

Jeremy is responsible for SMB Suite’s technology vision, strategy and implementation and is the architect of the Company’s Dynamics Cloud Platform. Highly adept in every facet of managed services, ERP systems and e-commerce platforms, Jeremy’s expertise spans the implementation and support of business and financial software solutions, as well as the customization and integration of SMB Suite’s cloud ERP technology stack. He holds numerous Microsoft and industry-related certifications, and was primarily responsible for designing the Company’s progressive business services platform in the early days of the Cloud. Prior to SMB Suite, Jeremy served as the financial analyst, systems administrator, and information systems liaison for a $2 billion financial services corporation.

Monty is responsible for SMB Suite’s day-to-day operation and, most importantly, its customers. As a leader, motivator and mentor, Monty creates loyal high performance teams willing to “walk through walls” to accomplish their goals. Prior to SMB Suite, Monty served as President of The Bradshaw Group (TBG), a global distributor, manufacturer, and repair facility for digital printers. In this role, he was the Company’s ambassador to its most important domestic, European and Latin American customers and TBG achieved a best-in-class Net Promoter Score of 74 for its superb customer satisfaction. Prior to TBG, Monty served as the General Manager of Sam’s Clubs three highest grossing U.S. stores and was named Regional Operator of the Year in 1999. Monty holds a BBA in Marketing from Texas Tech University and is an active member of Business Navigators. He has been active in Vistage International, Executives in Action, the Dallas/Fort Worth Retail Executives Association, as well as, A.P.I.C.S., the leading professional association for supply chain and operations management. Monty also volunteers with Hunger Busters and ManeGait, a therapeutic horsemanship organization.

David is a proven financial and information technology professional with expertise in providing business accounting software and computing solutions. He began his career by starting and managing a successful independent consulting practice for several years. He then launched the local systems consulting unit of Ernst & Young’s Entrepreneurial Services Group, leading the office into the hi-tech consulting arena. After successfully developing the unit for Ernst & Young, David founded NextCorp (which became SMB Suite in 2013) to serve the business software needs of clients throughout the US. David has made SMB Suite one of the best cloud ERP providers in the industry. In addition to being a successful entrepreneur and leader, he is a software and technology specialist, holding certifications in various Microsoft and other technologies.