SMB penny stretching 101: Making the most of your security budget

SMBs can learn how to deal with limited IT security budgets and scarce resources by prioritizing security controls and needs.

Those of you with IT security responsibilities in small businesses often resemble the stereotypical Scotsman, trying to stretch a penny as far as humanly possible. With an IT security budget that is likelier tighter than a Tom Brady spiral pass, how do you make effective use of your limited spending capabilities?

Small business security teams have to deal not only with limited budgets but resources are equally scarce. Prioritizing your security controls and needs based on risk is the obvious starting point. However, you don’t have the manpower to perform the risk assessments and gap analyses. Given these constraints where does someone even start?

Arguably, one of the best resources that security teams should utilize is the SANS Top 20 critical controls. SANS has done all the heavy lifting in identifying an extensive list of the foundational security controls. This is wonderfully laid out document that greatly helps in laying out implementation road map and how to best integrate the controls into your security infrastructure. SANS has done all the work for you – in describing in great details what each control accomplishes, all you need to do is best identify what controls are would address your most pressing security concerns. 

It is actually quite amazing the level of detail that SANS went to in describing how to implement the controls, automate them, how to measure their effectiveness (metrics), how to validate, as well as a process for implementation.

Each control is broken down into sub-controls that can be implemented over multiple phases following a natural progression. The sub-controls are classified as quick wins (can be implemented fast and cheap), visibility/attribution, configuration/hygiene (basic security measures), and advanced. Based on your needs your can progress to the advanced stage of the different controls. This is a great way to form the foundational aspects of the control and then over the years to naturally evolve the capabilities.

How can one effectively manage and visualize what controls (and sub-controls) you have implemented and what areas still need addressing. There is an awesome interactive Excel worksheet from Tech-Wreck blog that makes tracking your progress with the SANS Top 20 an absolute breeze (plus it used graphs that you can give to management so they can easily see the status of the different controls.)

The SANS Top 20 security controls list coupled with the Excel spreadsheets that capture the progress make a formidable tool for ensuring that you can stretch your security dollars and spend wisely on the controls that will best address the information risk within your organization. Try it out, good or bad, I’d like to hear about your experiences.