Security Programs 101

Building a cybersecurity program for a Small or Midsize Business (SMB) can be a fraught exercise. These organizations are generally short on both time and budget, are very tactically focused on today vs strategically focused on tomorrow, and often lack the internal expertise to drive cybersecurity initiatives. At the same time, they are also frequent targets of cybersecurity attacks for precisely these reasons. This leaves it up to their trusted partner – their MSP – to step in. This is a quick guide to help MSPs build out security programs for their clients.

What is needed?

To build an effective security program, there are a few key ingredients that are necessary. First and foremost, you’ll need an executive sponsor. Ideally, this will be someone in the C-Suite. Without this sponsorship, any cybersecurity initiative is likely to fall flat. And, if the sponsorship isn’t fully empowered and able to enforce change, you’re much more likely to see the program fail to launch or get hung up over minor hurdles.

Next, you’ll need to understand whether your client is required to follow any regulatory (e.g.: HIPAA) or security frameworks. Generally speaking, security framework requirements will be contractual obligations that your client has already agreed to. If your client doesn’t have specific regulatory or security requirements, start them with Center for Information Security (CIS) top 18 or NIST Cybersecurity Framework (NIST CSF) since both frameworks are reasonably robust while offering plenty of room to grow in the future.

The third step in your journey is generally to write security policies. These should align to the regulatory and security frameworks your client requires. In a perfect world, your client would already be compliant with the security and regulatory framework(s) they’ve chosen and the policies you write would reflect exactly what they’re doing today. The reality will never be this clean. Instead, it is often best to write policies that will allow your client to be compliant when completely followed and to generate exception or Acceptance of Risk (AoR) documents to describe what is being done in the meantime to manage the uncovered items. Policies should be approved by the client owner and acknowledged by all staff.

Once you have policies in place, you can perform a “gap analysis” to understand which controls your client already has covered and which are not yet addressed. Any control that isn’t yet met would be a gap. This gives you a roadmap towards compliance that you can share and prioritize with your client so that you can deploy your additional security tools (endpoint protection, MFA, etc.) to make sure the client is compliant with their written policies.

While you’re working on deploying the security tools to secure the client’s business, you should also roll out security awareness training to the client’s users. This training will shore up the most important – and most vulnerable – line of defense: the staff. This is also a good time to teach your client how to embrace risk management. Deploying a risk register and teaching the client how to identify, discuss, and manage risk will help drive better informed decision making and set them up for long term success.

Does that sound like a lot?

Well, it certainly can be. Realistically, cybersecurity is a journey, not a destination. If you try to roll out everything listed above over the course of a week, you’ll suffer from massive burnout both personally and due to change fatigue in the organization. Thus, the importance of a prioritized roadmap; this roadmap will allow you to adopt changes and adjust company culture at a pace that is manageable. This also underscores the importance of starting early in your client’s journey; the sooner you put these measures in place, the more likely your client’s staff will be to understand them and follow them carefully.

The good news is that many of the controls required by the CIS top 18 and NIST CSF are already industry best practices. Indeed, you’ve probably already rolled out many of the controls for your clients, such as enforcing MFA, deploying endpoint protection, backing up systems, encrypting hard disks, and more. This is the most common approach – start with point solutions for common problems early on, then adopt a framework and policies later. There’s nothing inherently wrong with this approach, but it does occasionally lead to scenarios where things are not optimally prioritized.

---

If you’re looking for a platform to build and manage your client’s security programs, Blacksmith InfoSec can help. We’ve built a multi-tenanted SaaS application to help you create custom policies for each client, automatically generate a prioritized compliance roadmap, track risk and business systems, and provide security awareness training. Pricing is transparent and available on our website. You can get your client’s security programs up and running quickly and easily.