In an era marked by escalating cyber threats, organizations must prioritize cybersecurity. Cyber threats and attacks are becoming more frequent, sophisticated, and damaging. Cybersecurity is essential for businesses of every size, but how to address it varies widely by organization size. This article will explore key areas of focus, team structure, and best practices for small, mid-market, and large companies.

According to a cybersecurity workforce study by (ISC)2, cybersecurity teams had the following functional area makeup across small, midsized, and large companies:

A government knowledge network company, Govloop provides this cybersecurity domain vs. organization size matrix for high-level guidance:

Now that we have these insights on typical functional breakdown and Govloop’s high-level guidance, let’s delve into specifics by enterprise size, starting with small organizations.

Cybersecurity essentials are the priority for most small organizations. A first step in covering cybersecurity essentials is adopting a security framework, such as the NIST Cybersecurity Framework. This framework is used to guide the development and implementation of cybersecurity policies and procedures. For example, a small organization may use the framework to identify its security goals and objectives, assess its current security capabilities and gaps, and prioritize and implement the security actions and measures that are most relevant and effective.  From this, a small company can determine what roles to hire to cover their cybersecurity needs.

Responsibilities: Manage network configurations, user access, and basic security measures.Significance: Their versatility and cost-effectiveness are beneficial for small organizations, as they can efficiently handle various tasks, maximizing limited resources.

Responsibilities: Monitor systems, analyze potential threats, and respond to security incidents.Significance: They provide a cost-effective way to enhance cybersecurity monitoring and incident response capabilities in small organizations.

The Cybersecurity & Infrastructure Security Agency (CISA) provides cybersecurity guidance and resources. CISA’s Cyber Guidance for Small Businesses gives role-specific cybersecurity guidance and general recommendations. Here are some key takeaways from this resource:

Eliminate any services hosted in offices, such as email and file storage. These services are called “on-premises” or “on-prem” services, requiring much skill and time to secure and maintain. Instead, migrate these services to the cloud, managed by professional providers such as Google Workspace or Microsoft 365. These providers offer secure and reliable email and file storage solutions built with world-class engineering and security talent.

Another way to improve cybersecurity is to use devices designed with security in mind, such as Chromebooks and iPads. These devices have a minimal “attack surface, " meaning they are less vulnerable to hacking and malware. Even if an attacker manages to compromise one of these devices, the data is primarily stored in the cloud, so the impact is minimal. These devices can also access cloud services without installing or updating software.

Use a form of authentication resistant to phishing attacks, one of the most common and dangerous cyber threats. The best way to prevent phishing attacks is to use FIDO authentication, a protocol that verifies your identity using a physical device, such as a USB key or a smartphone. FIDO authentication is the gold standard of multi-factor authentication (MFA).

There are more recommended cybersecurity domains for a mid-market organization to manage than a small business. Simply having a larger team brings additional cybersecurity risks that must be addressed. Some of these cybersecurity areas new for medium-sized organizations include:

Governance, Risk, and Compliance (GRC): This area involves establishing and maintaining the security strategy, policies, standards, and regulations for the organization, as well as identifying and managing the security risks and compliance requirements.Security Operations Center (SOC): This area involves monitoring, detecting, analyzing, and responding to security incidents and threats, as well as maintaining the security tools and systems for the organization.Security Engineering: This area involves designing, developing, testing, and deploying secure solutions and architectures for the organization, as well as integrating security into the software development lifecycle.Security Awareness and Training: This area involves educating and training the employees, customers, and partners on security best practices, policies, and procedures, as well as creating a security culture within the organization.

Depending on the organization's needs and goals, a medium-sized cybersecurity team may have one or more members dedicated to each area. Alternatively, they may adopt a hybrid or matrix structure, where members have multiple roles and responsibilities across different domains, depending on their skills and expertise.

Responsibilities: Implement and manage security solutions to ensure system protection.Significance: Their expertise is invaluable for medium-sized organizations, providing a balance between implementing and maintaining security solutions at a reasonable cost.

Responsibilities: Ensure adherence to relevant regulations and effective risk management.Significance: They are critical for medium-sized organizations, ensuring regulatory compliance and minimizing potential legal and financial risks.

Align the security strategy and objectives with the business strategy and objectives and communicate the value and benefits of security to the stakeholders and executives.For example, a balanced scorecard or a security dashboard might be used to measure and report the security performance and outcomes and how they support the business goals and objectives.

Establish clear roles and responsibilities for each team member and define the processes and procedures for collaboration and coordination across different areas and functions.For example, a medium-sized organization may use a RACI matrix or a security charter to clarify who is responsible, accountable, consulted, and informed for each security task or activity and how they work together to achieve the security goals and objectives.

Invest in training and development for the team members and encourage them to acquire relevant certifications and credentials, such as CISA, CISM, CRISC, CDPSE, CGEIT, CET, CSX-P, or ITCA.For example, the business might provide or sponsor training courses, workshops, webinars, or conferences for its security team members and support them to obtain and maintain their professional qualifications and competencies.

Implement metrics and measures to evaluate the performance and effectiveness of the security team and use feedback and lessons learned to improve and optimize the security operations and processes.For example, key performance indicators (KPIs) or key risk indicators (KRIs) could be used to monitor and assess the security results and impacts and conduct regular reviews and audits to identify and address any issues or gaps.

Outsource or automate some security functions, such as vulnerability scanning, penetration testing, or threat intelligence, to save time and money.For example, a third-party service or a cloud-based tool might be utilized to perform regular security scans and tests.

Collaborate with government agencies to share information, resources, and best practices on cybersecurity.For example, a mid-market organization may join a cybersecurity community or network, such as the Cybersecurity and Infrastructure Security Agency (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, to exchange insights, experiences, and solutions on how to address common cybersecurity challenges and risks.

As a company grows, it becomes a more attractive target for cyber threats, including more sophisticated ransomware attacks, where large, specific organizations are targeted for higher ransom amounts. Critical areas for countering this increased threat level include:

Network Security: Protecting the company’s network from intrusions, attacks, and unauthorized access.Cloud Security: As more businesses move their operations to the cloud, ensuring data security in the cloud becomes crucial.Endpoint Security: Securing endpoints like user devices and servers against threats.Threat Detection and Remediation: Identifying potential threats and taking action to mitigate them.Risk Management: Assessing and managing risks associated with cybersecurity.Compliance: Ensuring the company’s practices comply with relevant laws and regulations.

Large organizations must invest in a robust cybersecurity team to cover every cybersecurity domain.

Responsibilities: Provide strategic leadership and governance to align security with the organization’s objectives.Significance: Their leadership and strategic direction are vital for maintaining robust cybersecurity measures in large organizations.

Responsibilities: Design and develop the organization’s security architecture and solutions, ensuring alignment with business goals.Significance: They provide a strategic and holistic approach to security, crucial for large organizations.

Responsibilities: Conduct audits and assessments of security policies, controls, and processes, and report any gaps or violations.Significance: They play a vital role in ensuring compliance and identifying potential security gaps, essential for maintaining high-security standards in large organizations.

Responsibilities: Proactively identify and analyze threats to keep the organization ahead of potential attacks.Significance: Their role is invaluable in large organizations where staying ahead of evolving threats is essential.

Responsibilities: Design, deliver, and evaluate security training and education programs.Significance: They ensure that all stakeholders are well-informed about security practices, essential for widespread security awareness in large organizations.

Conducting regular risk assessments and audits can help identify system vulnerabilities. These assessments should be comprehensive, covering all aspects of your IT infrastructure, including hardware, software, networks, and data.

Require multi-factor authentication (MFA) wherever possible. MFA adds an extra layer of security by requiring users to provide two or more verification factors to access a resource.

Ensure that all software, including operating systems and applications, are regularly updated. These updates often include patches for security vulnerabilities. Regularly backup all critical data. In the event of a ransomware attack or data loss, backups will ensure that your business can continue to operate.

Divide your network into segments to limit an attacker’s ability to move laterally through your systems.

Implement SIEM (Security Information and Event Management) solutions for centralized monitoring and analysis.

In an ever-evolving digital landscape, safeguarding your organization against cyber threats is paramount. We hope this article provided some relevant cybersecurity insights, whether you belong to a small, medium, or large organization.

For further reading and resources on cybersecurity roles and best practices, we recommend the following:

As part of the whole-of-government approach to combating ransomware, CISA created StopRansomware.gov, a one-stop-shop of free resources for organizations of any size to protect themselves from becoming a victim of ransomware. If you have experienced a ransomware attack, we strongly recommend using the following checklist from our Ransomware Guide. 

CISA offers a list of free cybersecurity tools and services. This list serves as a living repository of cybersecurity services provided by CISA, widely used open-source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. 

The Cybersecurity Evaluation Tool (CSET) is an open-source self-assessment tool designed for stakeholders to install on their endpoint device.  For those interested in using the tool or participating in CISA's open-source community, visit https://github.com/cisagov/cset. To download the file, click https://cset-download.inl.gov/.

For businesses and organizations considering using a Managed Service Provider (MSP) for their security services, review CISA’s guidance on important risk management considerations.