Lean Security 101: 3 Tips for Building Your Framework

Cobalt, Lazarus, MageCart, Evil, Revil — cybercrime syndicates
spring up so fast it’s hard to keep track. Until…they infiltrate
your system. But you know what’s even more overwhelming
than rampant cybercrime?

Building your organization’s security framework.

CIS, NIST, PCI DSS, HIPAA, HITrust, and the list goes on. Even
if you had the resources to implement every relevant industry
standard and control to a tee, you still couldn’t keep your company
from getting caught up in the next SolarWinds. Because textbook
security and check-the-box compliance won’t cut it. You’ve got to
be strategic (especially when manpower is limited!). And
lean.

Learn the ropes now.

3 Pro Tips for Building Your Lean Security Framework

Without a framework in place, you’re either navigating the
cyber-risk universe with blinders on — or buried so deep in false
positives you couldn’t spot a complex attack until it’s already
laterally advancing.

But why build your security framework from scratch, when you
could steal a page (or 3!)^[1] from other pros in the
space? Get quick tips from their free guide for bootstrapped IT
security teams below.

Pro Tip 1: Customize Industry Standards to Your Needs

Your first step to building your lean security framework? Don’t
reinvent the wheel!

Customize industry frameworks and standards to the unique needs
of your organization. For example, lay your foundation with the
Center for Internet Security, CIS,’ Critical Security Controls, or
the National Institute of Standards and Technology, NIST’s, Cyber
Security Framework.

Next, start laying your security bricks with industry-specific
standards: the Payment Card Industry, PCI’s, Data Security Standard
(DSS) if you accept payment for goods or services with credit
cards; or the Health Insurance Portability and Accountability Act
(HIPAA) if you’re in healthcare; and so on.

Pro Tip 2: Get Comfortable with Risk

Controls. You know you need them, but some controls are more
valuable to your security posture than others. Why?
Because some simply aren’t worth the expense.

For example, storing your company’s personal data in the cloud
is risky. What’s the alternative? Housing it on-premises? That’s
expensive and comes with its own set of risks. So you choose to
accept the risk of using the cloud, right?

You’ll want to weigh the value of implementing the various
controls across your four key areas of risk management: threat;
technology and integration; cost; and third-party vendors.

Tip 3: Embrace Emerging Trends and Technologies

Chances are you’ve already moved to the cloud like most scaling
companies because it’s cost-effective. So don’t limit yourself to
industry frameworks and standards designed only for companies
hosting their entire tech stacks on-premises.

Use the Cloud Security Alliance’s Cloud Controls Matrix and
Shared Responsibility Model. Jump on the Zero-Trust bandwagon.
Integrate your tech stack with an XDR. Outsource threat monitoring
and response to an MSP, MSSP, or MDR. Transfer some of your risk to
a cloud insurance provider.

The Bottom Line

You’ve got more than enough options for building a risk-tight
security framework. The trick is picking and choosing wisely.

If you found these 3 tips helpful — download Cynet’s free guide^[2], “How to Build a
Security Framework If You’re a Resource-Drained IT Security Team”
for more.