Home > Advanced Topics > Cybersecurity > White Papers > Building Your Cybersecurity Roadmap for Mid-Market and Growth-Oriented Companies > Planning a modern and efficient roadmap
From a strategic business standpoint, the first step in this process is to determine which advice you will follow. The good news is that you do not need to start at the very beginning and research best practice recommendations. Today there are many established cybersecurity frameworks in North America that can guide you through best practices:
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a standard framework that provides guidance for organizations to manage and reduce cybersecurity risk. It is designed to be flexible and adaptable to any organization’s needs, regardless of size or sector. It is a comprehensive framework, looking at everything from supply chains to project management to security settings on a system. It is also the benchmark from which most other frameworks pull.
The Zero Trust security model is based on the principle of “never trust, always verify.” In this model, access to resources is granted based on the user’s identity and other factors such as their location, device, and behaviors. This model always “assumes breach” of the systems, so it often includes solutions such as incident response plans or retainers, or both.
The Center for Internet Security’s Critical Security Controls is a set of 20 prioritized best practices for improving an organization’s security posture. They are designed to be scalable and adaptable to different organizations and sectors.
There are many other frameworks, each with its own unique strengths and weaknesses. Your organization may choose to adopt one or more of them based on your specific needs and requirements. The industry in which you operate may dictate certain regulatory or compliance requirements—HIPAA, PCI, DSS (Data Security Standard), New YORK DFS, and so on. However, there are commonalities and areas of overlap throughout all cybersecurity practices. Consider these areas when you are building your roadmap, no matter what industry you are in:
Collaboration and communication | Encourage different departments within an organization, and external stakeholders such as vendors and partners, to achieve a common goal of protecting the organization's assets and data. |
Information management | Ensure confidentiality, integrity, and availability of information. This work includes identifying sensitive data, controlling access to it, protecting it during storage and transmission, and ensuring that it is destroyed properly when no longer needed. |
Risk management | All the frameworks emphasize the importance of risk management in cybersecurity. They encourage organizations to identify, assess, and prioritize risks, and to implement appropriate measures to mitigate those risks. |
Control framework | This framework provides a set of controls, such as firewalls, access controls, and encryption, that organizations can use to protect their assets and data. |
Continuous improvement | Organizations should regularly assess their cybersecurity posture and adjust their controls as needed. |
Compliance | Regulatory issues continue to emerge each day. Understanding how they affect your industry and your legal compliance requirements is critical. |
Cybersecurity plans and roadmaps must balance the cost and the risk to the company, with consideration of the following factors:
Managed security services are a viable option to implement, manage, and reduce overall risk. Conduct a careful cost/benefit analysis to identify the best strategy for your needs. Often, it is much more cost-effective for mid-market and growth-oriented organizations to partner with third-party companies to handle their security needs.