Steps Startups or SMBs can take to improve their Cybersecurity Programs

***The content of this article comes from several slide decks and content I created to present to startups in my employers' portfolio. I created all of this content and provide it free to the community for use. I just ask that you properly site this article if you use this content - thank you.

In my varied career in both Information Technology and Cybersecurity, I have had the opportunity to be a CIO, CISO, and Chief Privacy Officer. I have also held numerous roles in network engineering, security architecture & program development, and risk governance. In all these roles, one common theme I have found at each organization I have served is that the business's threats and risks were dynamic and never the same. This systemic risk and continuously changing threat environment drive security leaders to try to bring some order to this chaos.

This issue leads me to why I am writing this article. I advise and work with many startups and small businesses in my current role. I find they know the risks facing their companies but don't know where to start implementing their first cybersecurity initiatives. I recommend some basic approaches, keeping it simple, and with these foundational steps in place, they can mature as a business and grow their security programs where needed.

?1.???Approaching Cybersecurity as A Critical Business Function

Time and again, we have seen that when a business has a security incident that impacts operations, the issue may have been preventable, and those in IT and Cybersecurity probably knew some facet of the risk, but it had not been adequately communicated to corporate leadership. Please understand that this is not to blame those teams, as we know many factors lead up to a security incident, and not all leadership teams want to know the risks facing their business. However, as a security executive, you must be prepared, and the following are some steps to help you when you have these difficult but necessary discussions with corporate stakeholders.???

???????Four essential insights for Startup & SMB security leaders to consider in framing discussions with company leadership

o??Understand the business needs that drive cybersecurity investments

§?Security managers need to understand why specific security controls and the associated security stack technologies are required and the value these services should provide.

§?This statement seems common sense; however, I have found that we security professionals don't always take the time to understand some of the external factors that push down on our security programs. These significant factors can be enterprise issues like the markets the organization competes in and regulatory requirements that must be followed. They also can be unwritten rules like an entrenched internal business culture that dictates the CISO, and the security team will follow a specific process because "that's how we do it here."????

o??Review and understand the current IT portfolio

§?A portfolio review of the current IT environment is needed for security managers to understand the deployed technical landscape.

§?This factor heavily influences the technologies a security leader selects for their own technology stack. The IT team provides services the business requires to be productive on a daily basis. Many of these services are critical and may hold, create, or process sensitive data that is regulated. Understanding the IT technologies that provide services vital to the business offers a blueprint for the security leader when they design, manage, and update their security technologies. I tend to view this as the IT stack is the hand used to do daily work in the garden and clear out the weeds so the food can grow. The security stack is the glove on that hand that protects it from thorns, spiders, and other threats.

o??Conduct a risk assessment

§?For companies to mature and ensure their vision of their future state, security managers must select a framework to conduct an organizational risk assessment. This assessment will provide a baseline of current security controls that are working correctly, controls that require remediation, and controls that don't apply to existing business operations.

§?There are two issues I find that many security leaders have with implementing this factor, and they are selecting a framework appropriate for their company and conducting the assessment. These issues can be addressed by understanding where the business is in its current lifecycle. What I mean by this is if your company is a startup with only ~50 employees, you won't select NIST CSF as your framework because you aren't mature enough as an organization for many of its security controls. Instead, the security leader would choose a framework like CIS ver8 and focus on the first ten controls to establish a mature cyber hygiene protocol. Then with the framework selected, the next issue is conducting the assessment. Getting stakeholders from the other business units to assist is crucial so the assessment findings are viewed through a security lens but tuned to what the business needs.

o??Develop a strategic improvement plan

§?By establishing a risk baseline, security managers can identify business processes that need updating and security controls that are immature, giving them a ready-made list to develop a strategic plan for improving the company's security posture.

§?As the security leader for your startup or SMB, you have now completed the risk assessment, and in working with stakeholders from the various business units, you have taken the assessment's findings and prioritized its security gaps. This prioritized list can now be used to produce a strategic plan of security initiatives to be completed over a period of time. In all of my roles, I have used this list to create an 18-month strategic plan so my team, corporate leadership, and the board of directors would know the focus of my security program and the value it would bring as it matures. I would then take that plan and break it down into six-month sprint cycles, and with this roadmap, my team and I would then focus on daily security operations and our six-month security project sprints. Finally, once a year, I would conduct a reassessment considering completed projects, new business initiatives, and current threats. The findings of this reassessment would then be used to develop an updated 18-month roadmap.

By the end of this first step, a security leader should better understand the business they operate in and serve. They should also understand the critical services the IT stack provides the company and how their security program and technologies are aligned to protect these services. Finally, they should have selected a framework to begin maturing their program and have an improvement plan established that is visible and communicated to all stakeholders, so they understand why security is vital to company operations. This step alone, I feel, is the most important for startups and SMBs to establish as it gives the business a foundation to build on for the steps that follow.

2.???Building A Cyber-Aware Culture Is an Essential Business Initiative

Changing culture requires two core elements to be successful. The first is executive leadership support, and the second is patience. As the security leader for the business, you must build trust in your security program to be successful and implement meaningful change, which will take time.

???????Executive Support & Credibility

o??In previous roles, when facing having to build a security awareness program, I would start with the leadership team to educate them on the importance of security awareness and ask for their support before approaching the business. This executive support is crucial, so it's essential to take advantage of this opportunity to speak with executives and make the training compelling. I have trained on BEC and Phishing and in training used real examples of phishing emails that executives sitting in the meeting have seen. That personal touch makes it exciting and realistic to them and helps you build credibility as a security leader.

???????Leadership Announcement

o??To undertake cyber awareness initiatives, security leaders should request that the leadership team make a companywide announcement showing their support for the project(s). Ensure the announcement covers all training, not just a one-time phishing test. Explain to the executive team that for a security-aware culture to flourish at the company, different types of training on emerging subjects must be offered during the year. You want their support not to do a singular training class but establish a training program.

???????Baseline

o??Establishing a current baseline of the organization's cyber knowledge is essential to build a security training program blending cyber awareness into a business's culture with minimal resistance.

o??To start, conduct a survey using a simple questionnaire. Questions should be focused on identifying what security topics employees currently understand, security topics employees are interested in, and finally, a set of questions to determine if any regulatory or compliance regimes apply to the company.

o??Survey results from the conducted questionnaire will assist security leaders in evaluating the types of training the Startup or SMB employees will require and if any specialized training is needed for specific business units, such as handling and protecting sensitive data, for example.

???????Launching a cyber-aware culture

o??After reviewing the cyber training survey and selecting the initial cyber-awareness training topics and the training methodology, it's time to test it on a select group of employees. The testing aims to verify that after they complete the training, they understand it and its value to the organization to reduce its risk exposure. Once this is established, it's time to deploy the training throughout the company; however, remember that this is a program, and you are just beginning a practice that should become an established business process.

???????It's about building trust

o??It's crucial to remember that as a security leader, you are trying to change a culture, and this effort will require more than just annual training classes; it requires surveys, lunch-n-learns, blogs, posters, and mini-training sessions. This is your security training program; it's about building the trust necessary for employees to feel comfortable making mistakes and reporting issues to you and your team.

Wrapping up this step, I get asked by peers who have followed the above-recommended processes, and they still feel their security program isn't trusted and want to know what to do. I remind them that this step takes time and that the security leader must be an evangelist and approachable to employees to be effective. As the CISO, Director of Security, Security Manager, etc., you must visit your various business units and discuss security with employees. It would be best if you briefed your security program's strategic plan and current projects to employees, so they understand what you and your team are working on and why it's vital to the business. You and your team need to be visible; you need to state that they are your customers and that you are there to support them. You will know when you have achieved that trust because they will begin contacting you about problems asking for your insight and help. Remember, be patient and be visible. ???

3.???Essential Steps to Prepare for An Emergency

All businesses today operate in a hostile online world, so Startups and SMBs need to plan for the inevitable security incident. This step concerns business continuity, disaster recovery, and incident response. These three subjects are pretty significant, and much has been written about them. As a practitioner, I only provide the following ideas to help you implement a process to protect your business.

???????Collect emergency contact info for critical employees and essential third-party personnel

o??Establish and document which applications, services, partners, employees, etc., are critical to keeping the business functioning in an emergency. With this knowledge, develop a contact matrix for essential personnel and include the primary and secondary contact.

o??Be sure to update this information and make it available to the teams and critical personnel needing it during an emergency.

???????Develop a business operations plan:

o??Document standard business procedures for normal operations; if you don't know what normal operations look like, it's more complicated to understand when operations are beginning to shift toward abnormal.

o??Establish alternate business procedures for other-than-normal operations. This document can be developed through a "what-if" exercise and requires stakeholders from all critical business units. This document (alternate business procedures) combines with the standard business operating procedures to become the company's business operations plan. This business operations plan should include a security addendum that documents current physical security measures and methods to replace security controls if required.

o??Note: It is imperative to make sure the business operations plan should acknowledge any compliance frameworks that apply to the organization (i.e., HIPAA, CCPA, GDPR, etc.)

???????Develop business continuity and disaster recovery plans:

o??Work with business-critical suppliers and partners. Document emergency plans for how you will work with them if there is an outage, degraded services, etc.

o??Develop your notification processes to alert customers that there is an impact on services.

o??Develop a dependency analysis that looks at critical parts of the business (vendors, technology, services, staff, etc.) and identifies possible replacements.

o??Incorporate alternative business operations into the plan and test them periodically.

o??Prepare for local emergency power generation if applicable. Sometimes this will be managed by the building owner you are in; it's best to ask the question – how will you operate when the lights go out?

o??Ensure all critical IT equipment has Uninterruptible Power Supplies (UPS) with backup batteries if applicable. If you are cloud-enabled, understand your SLAs for when service will be restored or your options for alternate cloud instances.

o??Develop procedures for how business operations will be restored to normal

o??Plan for retrieving and resorting backup data if required. It's best to understand if the company can operate offline; how is data reconciled after operations return to normal?

???????Train employees on business operations, business continuity, and disaster recovery plans:

o??Conduct training quarterly, bi-annually, or annually as needed. Assess the overall training – conduct "lessons learned" debriefs. I recommend using realistic scenario-based practice drills to build the muscle memory your business continuity and disaster recovery teams need to respond to an emergency.

???????Develop an incident management program

o??Maintain an updated configuration management database (CMDB).

o??Maintain emergency contact information for all third-party partners, suppliers, and IT service providers.

o??Create incident response runbook templates and train incident response teams regarding their responsibilities. Ensure the runbook includes notification procedures for executive staff, the business continuity team, third-party contractors, and employees as required.

o??Provide to the Business Continuity team recommendations for priority notification of law enforcement, regulatory entities, and customers or clients.

o??Verify that incident response operations meet regulatory compliance requirements (i.e., GDPR or CPPA).

o??Conduct incident response training with business continuity and disaster response teams at least annually at a minimum.

???????Some Basic Actions to Follow During a Security Incident

o??Document the level an incident must reach before the incident response plan is activated. ?

o??Identify compromised or impacted assets and assess the breadth of damage, whether on the business premise or in a cloud instance.

o??Follow Incident Response runbooks for the incident type, establish reasonable communications procedures, and document all steps taken during an incident for later lessons learned debriefing. Document and test the process for notifying the Business Continuity team of the ongoing incident. Be sure to note the type of data affected in an incident and report this to the Business Continuity Team leader.

o??If required, work with legal counsel to notify appropriate authorities or activate specific riders within the corporate cyber insurance policy.

???????Return to Normal Business Operations

o??Establish recovery points, so that impacted critical systems are recovered in stages. If systems are cloud-based, recover them from the last known good configuration.

o??Take necessary actions to restore systems to standard configurations; if the configurations have been changed due to the incident, then update the CMDB to reflect these new baselines.

o??Update restored systems with current data from manual transactions that may have occurred while systems were unavailable.

o??Create a new "clean" backup after data has been updated. If the backup is a cloud-based service, initiate a new backup of the restored system.

It's important to note the difference between Business Continuity, Incident Response, and Disaster Recovery. Business Continuity Plan and Program are managed by an executive on the company's leadership team. Business Continuity is focused on keeping the business and all critical operations running even in a diminished capacity during an incident. Business Continuity operates across the whole enterprise and manages all external communications. The security leader governs incident response. Incident Response focuses on the actual incident, and a significant part of it is the security team investigating and triaging the emergency. The leader of this effort (Security Leader) makes periodic reports to the Business Continuity Program Leader. Once the incident has been resolved, it's time to return to normal business operations, which involves implementing Disaster Recovery Procedures. The points I made in this step are just reminders to the Startup and SMB leadership teams that there are best practices for these three processes they should follow to protect their company, its partners, and its employees. ??

4.???Develop and build a Security Program

This final step focuses on recommendations for either building a security program or maturing one. I have written books on this process (CISO Desk Reference Guides Volume I & II), and my goal here is to highlight some critical controls for Startups and SMBs. There are three areas that I will focus on Policy, Best Practices, and Third-Party Services.

???????Develop and get approved at least these nine cybersecurity policies, including:

o??There are numerous policies an organization can implement for IT and Cybersecurity. Keeping that in mind, there are nine that I would recommend a Startup or SMB implement when they establish their security programs.

§?Acceptable Use – The policy restricts how the network, website, or system may be used and sets guidelines for how it should be used.

§?Access Control – The access control policy provides rules and guidelines structuring who can access data and resources at an organization.

§?Change Management – This policy explains the process of applying changes, upgrades, or modifications to the corporate production environment.

§?Information Security - This policy identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources.

§?Incident Response - Documentation of predetermined instructions or procedures to detect, respond to, and limit consequences of malicious cyber-attacks against an organization's information systems

§?Remote Access - A written document containing the guidelines for connecting to an organization's network from outside the office.

§?Email/Communication – This policy is a set of clear guidelines to ensure employees use corporate email/chat technologies in line with business rules.

§ Patch Management – This policy is a set of guidelines to ensure controlled, efficient, and secure corporate systems and application patching.

§?Business Continuity – This plan defines the processes, procedures, decisions, and activities to ensure that an organization can continue functioning through an operational interruption.

o??Ensure employees are trained on each policy (if required) and have them sign an acknowledgment that they have read them.

???????Some essential cybersecurity best practices for reducing risk:

o??Backup business data. Remember to review the critical services identified during the business continuity process. This review provides a list of sources that should be considered for backing up.

o??Confirm all IT assets are protected with endpoint AV, EPP, Firewall, DNS Security, VPN, Insider Threat, Encryption, etc. – use as needed and configure for automated updates.

o??Ensure all IT assets are updated with the current operating system and security patches on at least a monthly basis. I would also recommend looking at recommended operating system configurations to establish a baseline image for all IT assets in the production environment.

o??Secure wireless networks with strong passwords and incorporate 2FA if possible.

o??Enable system and network audit logging where applicable and use a SIEM or log server to collect info for monitoring, detecting, and remediation.

o??Review the risk management control framework you selected to create your strategic plan and any compliance frameworks that apply to your business to ensure you meet relevant regulatory requirements.

o??Review current access control processes and security controls in place for data protection. Confirm limited direct access to customer records and IP.

o??If you use cloud-based "compute" services, implement a cloud access security broker (CASB) solution to monitor and manage internal traffic and data transfer to cloud-based sites.

o??Implement an email security gateway to reduce malware and phishing emails received by employees.

o??Train employees at least annually in cybersecurity awareness and provide periodic training quarterly at a minimum on different cybersecurity topics

???????Identify which of the above cybersecurity practices you are not able to provide and seek a managed service provider (MSP) or a managed security service provider (MSSP)

o??During Step #1, as your company's security leader, you assessed and developed a list of security gaps that were prioritized and integrated into your security program's strategic plan. I bring this up because there will be issues that you identified that trusted third parties could do for you saving you time and resources. Startups and SMBs typically don't have large mature IT or security teams. So, one of your options to reduce the risk exposure to your company is to use an MSP or MSSP and have them provide some of the services you need for your security program.

§?Some things to consider when selecting what services to outsource to an MSSP

??How large are the IT and Security teams, and what current skillsets do they have? If you have a small team or a team with junior personnel, you may want to use an MSSP to provide some of the more highly skilled security services.

??What's the focus of your security program? Is it providing daily security operations? Is it supporting regulatory audits and due diligence initiatives for M&A? Understanding the core focus helps identify services that can be contracted to a third party. For example, I don't have the staff for my own internal SOC, so I partnered with one as my program is designed to focus on daily operations and due diligence services. ?

As we finish, you now have four steps that can be used for your Startup or SMB. I have provided a basic process to assess your current security program and establish a strategic plan. I hope I have given you insight into how cybersecurity can be integrated into your organization's culture. Finally, I have equipped you with some foundational guidelines to follow for emergencies and establishing/maturing your security operations. Please keep in mind that many books cover the above subjects in more detail than what I have provided. The purpose of this article was to give a quick read for security practitioners and managers working at Startups and SMBs. I hope you have enjoyed our discussion, and I look forward to hearing from you and our community.

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners?Bill Bonney?and?Matt Stamper?on the CISO Desk Reference Guide Volumes 1 & 2, and the Executive Primer. I have also authored The Essential Guide to Cybersecurity for SMBs and Developing your Cybersecurity Career Path. All are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the?CISO Desk Reference website.?