In this guide, we explain the essential and most relevant cybersecurity frameworks and standards – separately for start-ups and fast-growing companies. We use practical scenarios and case studies to show you how to best use each framework to protect your company’s critical infrastructure.
We assume that you are a CTO, a CISO or a cybersecurity expert managing a tech start-up’s security team. The question you have is:
Which cybersecurity frameworks and standards should you and your team utilise to keep the systems safe?
You should utilise a combination of frameworks and standards such as NIST, ISO 27001/27002, SOC 2, CIS controls and MITRE ATT&CK to ensure comprehensive protection. That said, let’s dig a bit deeper into each of these frameworks to understand their roles, starting with the most complex and most used: NIST Cybersecurity Framework or CSF.
NIST Cybersecurity Framework provides a flexible and risk-based approach to cybersecurity, helping to identify, protect, detect, respond and recover from cyber threats. Its flexibility and adaptability allow start-ups to tailor it to their specific needs and resources.
Now NIST offers a range of frameworks, but only some are relevant for start-ups.
In start-ups, you want to use the framework’s core functions (Identify, Protect, Detect, Respond, Recover) to organise and prioritise cybersecurity activities. This includes:
How it works?
NIST Implementation Tiers
Implementation tiers are essentially a way to measure how thoroughly your organisation has adopted the CSF and integrated it into its cybersecurity practices. Think of them as levels of sophistication or maturity.
There are four levels (tiers) overall:
It’s important to understand that these tiers are not a maturity model. In other words, it’s not about being “better” than another tier, but about aligning your cybersecurity practices with your business needs and risk tolerance. Your organisation can progress through the tiers over time as it improves its cybersecurity posture. That’s why the tiers are designed to be flexible and adaptable to different organisations and industries and different development stages.
NIST Profiles
Profiles are a way to capture and document an organisation’s unique cybersecurity posture within the context of the CSF. Think of them as customised views of how the CSF is being applied in your company. They are most useful for prioritisation, measurement, communication and accountability.
Profiles have 4 primary functions:
Here’s a helpful analogy. Imagine taking a picture of a building. The picture captures the building’s current state at that moment in time. Similarly, a CSF Profile captures an organisation’s cybersecurity state at a specific point in time. This gives you a clearer understanding of the cybersecurity posture and enables you to track progress so you can make informed decisions about cybersecurity investments.
Case Study
A small e-commerce start-up uses CSF to build its security program from scratch. They start with the “Identify” function, taking inventory of their IT assets and data. Then, they move to “Protect”, implementing basic security controls like firewalls and multi-factor authentication. As they grow, they use the framework to guide their investments in more advanced security measures, like intrusion detection systems and security awareness training.
Privacy framework helps organisations manage privacy risks by providing a flexible and adaptable structure for identifying and managing those risks. The core functions for building a comprehensive privacy program are:
Case Study
A social media start-up uses the NIST Privacy Framework to build trust with its users. They start by identifying the personal data they collect and the privacy risks associated with it. Then, they implement controls to protect this data, such as data minimisation and de-identification techniques. They also communicate their privacy practices clearly to their users, building transparency and trust.
While not specifically designed for start-ups, this publication provides guidelines for protecting sensitive government information. This is crucial if your company works or plans to engage with government agencies and/or handles controlled unclassified information (CUI).
The framework covers 14 families of security controls, including access control, identification and authentication and incident response.
Case Study
A health tech start-up developing a mobile app for veterans needs to comply with government regulations for protecting veterans’ health information. They use NIST SP 800-171 to implement security controls like encryption, access control and audit logging to ensure the confidentiality and integrity of this sensitive data.
NIST resources are widely recognised and, more importantly, publicly accessible, making them cost-effective for start-ups. The frameworks can be adapted to fit the specific needs and resources. Ultimately, they help start-ups prioritise their security efforts based on their unique risk profile.
This internationally recognised standard provides a framework for establishing, implementing, maintaining and continually improving an information security management system (ISMS).
The best use case is the implementation of a systematic approach to managing sensitive information such as:
CIS Controls provide a prioritised set of actions for cyber defence; in other words, specific and actionable ways to mitigate the most prevalent attacks.
What CIS Controls to use?
Implement the top 18 CIS Controls, which address the most critical security areas, such as inventory and control of hardware assets, continuous vulnerability management and data recovery capabilities.
This standard focuses on security, availability, processing integrity, confidentiality and privacy. It’s particularly relevant for start-ups that handle customer data.
To achieve SOC 2 compliance, your organisation must undergo an audit by an independent third party to assess your controls against the SOC 2 criteria. This, in turn, will demonstrate your commitment to data security and privacy.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It’s like a cheat sheet for understanding how attackers operate and what methods they use.
MITRE ATT&CK provides a framework for understanding how attackers operate and what techniques they use.
So the primary use case of the MITRE ATT&CK framework is to map observed threats to known tactics and techniques. You can then utilise ATT&CK to identify gaps in your security posture and develop better defences and detection capabilities. It also helps with threat intelligence analysis and sharing information about attacker tactics and techniques. Ultimately, ATT&CK can be used to guide incident response efforts and identify the attacker’s methods.
Industry-Specific Regulations
Depending on the industry your start-up operates in, you should also incorporate relevant regulations, such as HIPAA for healthcare or PCI DSS for payment card processing.
Cloud Security Frameworks
If your start-up utilises cloud services, you should consider adopting cloud-specific security frameworks, such as the Cloud Security Alliance’s Cloud Controls Matrix (CCM).
Let’s now raise the bar higher and focus on a fast-growing tech company’s security. What cybersecurity frameworks and standards should your team utilise to keep everything safe from intrusion?
Make no mistake; scaling up changes the game. Your approach to cybersecurity frameworks and standards should therefore evolve in this fashion:
During the start-up stage, you’ve leaned on more agile frameworks like CSF and CIS Controls. You should, therefore, continue expanding them; for example, adapt NIST’s Tiers 3 (Repeatable) and 4 (Adaptive) for fast growth.
Automation is the key here. So leverage security information and event management (SIEM) systems, intrusion detection/prevention systems (IDS/IPS) and automated vulnerability scanners to streamline security processes and keep pace with growth.
Enhancing Tier 3 (Repeatable)
Focus on Automation and Integration:
Enhance Threat Intelligence and Vulnerability Management:
Strengthen Incident Response and Recovery:
Tier 4 (Adaptive)
Embrace Advanced Technologies:
Adapt to Change:
Case Study
A fintech start-up experiencing rapid user growth uses the CSF to guide its security strategy. They begin with a basic “Identify” and “Protect” implementation, focusing on securing customer data and financial transactions. As they scale, their attack surface expands so they use the framework to prioritise investments in more advanced security measures, like threat intelligence and incident response planning.
This framework emphasises building security into systems from the ground up. It should, therefore, be immediately adopted by start-ups that are expecting rapid development and deployment of new technologies.
In such a scenario, security should be integrated throughout the entire system lifecycle, from requirements analysis to disposal. The systems must be designed to withstand and recover from attacks, reducing disruptions to operations during rapid growth.
Case Study
A SaaS company scaling its cloud infrastructure uses NIST SP 800-160 to guide the development of its new platform. By incorporating security considerations into the design phase, they ensure that security is baked into the foundation of their system, reducing vulnerabilities and ensuring resilience as their user base expands and their infrastructure grows more complex.
While primarily focused on federal systems, NIST SP 800-53 is also highly relevant for non-federal subjects. The framework offers a comprehensive catalogue of security controls that can be adapted by any organisation.
Should you choose to implement it, start with a subset of controls. Prioritise those most relevant to your organisation’s specific risks and industry regulations.
TIP: Don’t try to implement everything at once. Focus on the most critical controls first and gradually expand coverage as the organisation matures.
Case Study
A fast-growing healthcare start-up handling sensitive patient data uses NIST SP 800-53 as a guide to implementing a robust security program. They prioritise controls related to access control, data encryption and audit logging to ensure compliance with HIPAA regulations and protect patient privacy. As they scale, they gradually implement additional controls to address evolving threats and maintain a strong security posture.
1. Automation
2. Cloud Security
3. Emerging Threats
4. Scaling Security Operations
CIS Controls require continuous monitoring and improvement. However, focus on those controls that are most relevant to the organisation’s specific risks and industry regulations. If possible, embed the CIS Controls into the core business processes to ensure they are sustainable and scalable.
Given the likelihood of heavy cloud reliance, you should adopt cloud-specific frameworks like the Cloud Security Alliance’s Cloud Controls Matrix (CCM) and the Center for Internet Security’s (CIS) Benchmarks for cloud providers (AWS, Azure, GCP).
Additionally, you should integrate security into the development lifecycle (DevSecOps). This ensures that security is baked into every stage of software development, reducing vulnerabilities and accelerating secure deployments.
For a fast-growing tech company, cybersecurity needs to be agile, scalable and deeply integrated into the company’s culture and operations. By combining the right frameworks, standards and technologies, you can build a robust security posture that protects the company while enabling its rapid growth.
There is one thing you need to build right away and that’s a security-conscious culture; otherwise, your systems will stay exposed to breaches no matter how many security frameworks you use.
The first step in achieving this is security awareness training for all employees. This should be a regular event because it not only fosters a security-first culture but, more importantly, prevents or, at the very least, seriously reduces human error. And human error is the number one threat to every system.
And the second thing to do is to create a well-defined and regularly tested incident response plan. An IRP is essential to minimise damage and ensure business continuity in case of a security breach.
Ultimately, the top priority, the top security standard if you will, whether you run a start-up or a fast-growing tech company, is personal hygiene. Without it, cybersecurity frameworks and standards will have a limited impact.
Module 6 of our Digital MBA for Technology Leaders goes into the operational details of cybersecurity. 22 lectures cover a range of topics in subjects of information, security, employee education and systems management. It is the single best resource for technology leaders and security experts because lecturers are C-level executives who base their lessons on practice and experience. In other words, everything you learn is immediately applicable to your daily operations.
90 Things You Need To Know To Become an Effective CTO
London
2nd Floor, 20 St Thomas St, SE1 9RS
Copyright © 2024 - CTO Academy Ltd