Companies getting serious about security should start small

A security program takes time to build. But you need one, no matter the size of your company, so, if you have to, start small. It's better than procrastinating and leaving your company vulnerable.

Starting small means making some security decisions that you can act on immediately. We'll help you out with that in the next section. As you put in place some common security protocols, you can start thinking about how to turn these first steps into a formal security program. We recommend building a security program incrementally by working through a framework provided by a recognized security standard. 

This approach keeps you moving forward without feeling overwhelmed. Your team will learn more about information security and gain confidence along the way. As you do, you'll grow your security program into something more robust. We generally work with two security standards that are valuable starting points for building a security program incrementally:

• NIST 800-53
• CIS Controls®

We’ll share more on both below. But first, let’s get you some quick security wins.

5 Security Steps You Can Take Right Now

You can strengthen your company's security before you even write your first security policy. Some security steps are universally valuable and easily implemented, and they are the perfect place to start making small yet meaningful steps to improve your company's security posture.

If you complete these five steps over the next few weeks, you'll already have raised your company's security posture exponentially:

1. Choose one person and make them responsible for company security; someone with budget and authority to advocate and effect change
2. Train employees on the risks of using poor passwords as well as how to recognize phishing or social engineering attempts
3. Create and enforce a password handling security policy that enforces best practices for password management, such as requiring multi-factor authentication (MFA) on your most critical systems
4. Review which users have access to which system and capabilities and then applying the principle of Least Privilege (granting users the minimum access and permissions required to perform their jobs)
5. Install endpoint protection software on all devices that connect to your network; it should include anti-virus, anti-malware, and anti-ransomware protection

These are only five of the 21 steps we've identified that you can take to immediately improve company security. You can download the guise and start working through all 21 security quick start steps. As you do, you can also start assessing which security standard you want to use as the framework to build a full security program.

NIST 800-53

The Security Program platform was designed around NIST 800-53 because it’s such a robust and flexible standard. It covers a large group of domains and controls but also provides guidance and a methodology for conducting analysis and making security decisions.

We like it as a baseline standard because so many other security standards draw on the domains and controls included in NIST 800-53. As your company completes more security tasks based on 800-53, you’re also raising your compliance level with other valuable security standards.

One of the challenges with 800-53 is that it’s so comprehensive. Its breadth can stymie companies without experience in information security or creating a security program. Working through 800-53 using a compliance management software platform like Security Program can provide the expertise and support needed to break it down into manageable chunks. You can check out a more detailed explanation on why we use NIST 800-53 as our base-level security standard and how it helps small companies grow strong security programs.

Some small or new companies prefer to start with a more targeted standard. For those companies, we recommend starting with CIS Controls®, which is a nice on-ramp to NIST 800-53.

CIS Controls® (formerly CIS 20)

The  Center for Internet Security (CIS) is an industry organization dedicated to helping people and companies improve their online security. Formerly known as "CIS 20" because it had a list of 20 controls, the current version has a list of 18 controls. That reflects a re-organization of its control families, not a narrowing of its scope. In fact, the most recent version of the CIS Controls has expanded to include security for mobile and cloud technologies.

The CIS Controls are built to reach organizations and people without information security experience and to help them prioritize actions that protect them against their most likely risks. They're written in plain language with a description under each control explaining why it's critical. The documentation presents specific actions ("safeguards") companies can take to implement each control.

The standard provides precise guidance to companies by dividing them into implementation groups (IGs). The three IGs are defined by organization size, security expertise, risk tolerance, and budget. IG1 covers small businesses with a low risk tolerance, tighter budgets, and little security experience. IG3 covers highly regulated enterprises that manage sensitive data, and where there’s risk to public welfare in case of a successful attack.

Each safeguard is marked to show which IGs should implement it. For example, control 2 covers inventory and control of software assets. It has a total of seven safeguards, three of which are marked for IG1. All the safeguards under all the controls are marked for IG3 organizations. In this way, the CIS Controls provide a clear, incremental roadmap. These safeguards and controls are also mapped to other common standards, including NIST 800-53.

The Data Breach Investigation Report (DBIR) references the CIS Controls specifically to reflect which controls are most valuable given actual threat data collected in the report. This mapping includes specifying the most useful CIS Controls by industry, given that industry’s most prevalent threats. The DBIR also identifies four controls as a “core set of Controls that every organization should consider implementing regardless of size and budget:”

• Control 4: Secure Configuration of Enterprise Assets and Software
• Control 5: Account Management
• Control 6: Access Control Management
• Control 14: Security Awareness and Skills Training

You Have to Start Somewhere if You Want to Grow

And by “grow,” we’re talking about your security program and your business.

Somebody said every journey starts with a single step. That’s how your business started. You can approach security the same way. Starting small is fine, but you do need to get started. You won’t be able to scale up operations responsibly or expand your market without a solid security program in place. Let your security program grow with you. It’s not a journey you need to take alone. Whether you want to start working through NIST 800-53 task buckets or start slower with CIS Controls, the Security Program platform and team are here and can help walk you through it.