Cybersecurity and Self-Assessment Tools for Small Businesses

National Institute of Standards and Technology (NIST) projects are size neutral. While they tools are often used by large organizations, they are designed to be used by small businesses as well. In September, NIST announced a new cybersecurity self-assessment tool that can be used by any business or organization.

The tool, in draft stage, is the Baldrige Cybersecurity Excellence Builder. The tool is intended to help businesses learn more about their cybersecurity risk management efforts, in relation to the NIST Cybersecurity Framework. Used together, the Framework sets the stage for what should be implemented and the self-assessment tool helps evaluate the effectiveness. NIST has asked for feedback on the tool and plans to publish the final version in early 2017.

The intent is that after completing the self-assessment, your business will be able to:

Determine cybersecurity-related activities that are important to your business strategy and critical service delivery

Prioritize your investments in managing cybersecurity risk

Determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities

Assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices

Assess the cybersecurity results you achieve

Identify priorities for improvement

How to do the self-assessment

The self-assessment is not meant to be arduous but will require dedicated thought to answer the questions. You and your key leaders or partners can do it with input from other key employees. You should consider including your cybersecurity expert in the assessment process. Alternatively, you might plan to review the resulting information with him/her.

The tool overview suggests the tool be used in the following steps:

1. Decide on the scope of your self-assessment

2. Complete the Organizational Context

3. Answer the process questions in categories 1–6

(1) Leadership

(2) Strategy

(3) Customers

(4) Measurement, Analysis, and Knowledge Management

(5) Workforce

(6) Operations

4. Answer the results questions in category 7

5. Assign a descriptor to your responses to each item

6. Prioritize your actions

7. Develop an action plan, implement it, and measure and evaluate your progress

The self-assessment tool includes a template for summarizing the information gathered. Completion of this template will allow you to determine if your cybersecurity program is in a reactive, early, mature, or role model stage. You can also rank the attributes/questions in level of importance. This is valuable since each business will have different value on key factors and by ranking factors, you can customize your action plan to focus on what is most critical to your business.

About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.