Those of you with IT security
responsibilities in small businesses often resemble the stereotypical
Scotsman, trying to stretch a penny as far as humanly possible. With an IT
security budget that is likelier tighter than a Tom Brady spiral pass, how do you make
effective use of your limited spending capabilities?

Small business security
teams have to deal not only with limited budgets but resources are equally
scarce. Prioritizing your security controls and needs based on risk is the
obvious starting point. However, you don’t have the manpower to perform the
risk assessments and gap analyses. Given these constraints where does someone
even start?

Arguably, one of the best resources that
security teams should utilize is the SANS Top 20 critical controls. SANS has done all the heavy lifting in identifying an
extensive list of the foundational security controls. This is wonderfully laid
out document that greatly helps in laying out implementation road map and how to
best integrate the controls into your security infrastructure. SANS has done
all the work for you – in describing in great details what each control
accomplishes, all you need to do is best identify what controls are would
address your most pressing security concerns. 

It is actually quite amazing the level of
detail that SANS went to in describing how to implement the controls, automate
them, how to measure their effectiveness (metrics), how to validate, as well as
a process for implementation.

Each control is broken down into
sub-controls that can be implemented over multiple phases following a natural
progression. The sub-controls are classified as quick wins (can be implemented
fast and cheap), visibility/attribution, configuration/hygiene (basic security
measures), and advanced. Based on your needs your can progress to the advanced stage of the different controls. This is a great way to form the
foundational aspects of the control and then over the years to naturally evolve
the capabilities.

How can one effectively manage and
visualize what controls (and sub-controls) you have implemented and what areas
still need addressing. There is an awesome interactive Excel worksheet from Tech-Wreck blog that makes tracking
your progress with the SANS Top 20 an absolute breeze (plus it used graphs
that you can give to management so they can easily see the status of the
different controls.)

The SANS Top 20 security controls list
coupled with the Excel spreadsheets that capture the progress make a formidable
tool for ensuring that you can stretch your security dollars and spend wisely
on the controls that will best address the information risk within your
organization. Try it out, good or bad, I’d like to hear about your experiences.