According to a 2023 Netwrix survey of global IT professionals, 47% of respondents call a lack of budget their biggest challenge to ensuring data security.

When cybersecurity budgets are tight, organizations all too often rely on an assortment of high-end security tools to protect their operations. Such constraints are even worse for small and medium-sized businesses (SMBs), which tend to invest in safeguarding only “the most important functions” of their organization. But sound as this strategy might seem, tools alone aren’t enough to safeguard your network.

Cybersecurity is About Balance

Relying on just one security component barely leads to actual protection. A museum can have the most advanced surveillance system in the world — but without physical measures in place, security personnel can only observe a theft, not prevent it. Along the same lines, even if businesses invest in monitoring tools, they won’t be able to actually respond to threats without an effective incident response plan and the right team to execute it.

A balanced cybersecurity strategy supports tools with people and processes, which play a crucial role in protecting infrastructure without much financial investment. For example, establishing a process that requires business users to annually review their data repository permissions can minimize your attack surface by eliminating superfluous permissions. This process-based approach that emphasizes least privilege security can be particularly helpful for SMBs, as it provides a solid foundation that can be scaled up as the business expands.

Frameworks like the NIST Security Framework can help streamline the security efforts and help create the necessary balance. NIST outlines six functions essential for a well-rounded approach to cybersecurity: Govern, Identify, Protect, Detect, Respond, and Recover. Each one corresponds to specific tools and processes, helping organizations develop a balanced investment strategy.

A new version of the framework, NIST CSF 2.0, has just been released. Key changes in the updated version include the restructuring of five original functions, adding a new one, and providing clear guidance for organizations of all sizes, sectors, and cybersecurity maturity levels. What’s more, the new version of NIST CSF emphasizes the facilitation of smaller businesses to utilize the framework. To ease the adaptation of NIST CSF 2.0, the framework provides in-depth step-by-step instructions and an organizational profile template that should help the organization address its unique cybersecurity needs.

Understand the Business Context – Govern

A new function, Govern, was introduced in NIST CSF 2.0 that has been just released. It connects cybersecurity with the wider organizational and business context. This function helps to establish and monitor the organization’s cybersecurity risk management strategy, expectations, and policy. Additionally, it aims to help organizations manage and achieve desired outcomes for the other functions.

Governance also involves identifying what regulatory requirements the organization must adhere to and what types of entities it interacts with. This could range from parts of its supply chain to known threat actors, or even organizations that may specifically target the organization. Understanding these elements is crucial for effective risk management and strategy formulation.

Do Your Homework – Identify First

The process begins by assessing the risks to ensure informed decisions about organization’s security needs. Under the NIST framework, this means using the Identify function, which focuses on discovering an organization’s sensitive data, determining the location of that data, and pinpointing any vulnerabilities potentially compromising it.

Identification itself doesn’t prevent the organization from being attacked but it helps to concentrate the efforts on what really matters. Securing the most crucial data against the most likely threats helps effectively allocate financial resources.

Protect and Detect

The Protect function supports the organization’s ability to limit or contain the impact of a security incident. This function covers categories such as Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, and Protective Technology.

But just like how locks can be picked, attackers may circumvent the Protection function. This is where Detect functions enter the mix: these procedures instantly alert you of cybersecurity events through continuous monitoring and detection, better ensuring that you can respond to anomalies quickly.

Respond and Recover

However, Detection is of little value if you cannot respond to an alert. The Respond function is essential for containing the impact of a potential cybersecurity incident. At the same time, however, it will work properly only when used in conjunction with comprehensive detection processes. If those detection tools don’t uncover every malicious action targeting the network, the organization will suffer serious damages before the security team even has a chance to react.

The Recovery function is critical for restoring business continuity, ensuring that normal operations resume with minimal downtime (typically the costliest consequence of an attack). While an effective security system would ideally make this function unnecessary, it’s still essential as a last resort for compromised businesses.

Achieving Balanced Maturity

A balanced cybersecurity model takes time to achieve, evolving bit by bit alongside the business itself. The NIST framework divides this evolution into tiers: Initially, companies often start with an informal, ad hoc approach. As they grow more risk-aware, they develop a more defined strategy. Then, at what NIST labels “Tier 3,” organizations reach a significant milestone by formalizing risk management practices and adopting them into organizational policy.

The final stage, the Adaptive Tier, is characterized by proactively adapting to advanced cybersecurity technologies and evolving threats. This stage reflects ongoing responses to the ever-changing landscape of cybersecurity threats. NIST emphasizes that the objective of this stage is continual adaptation, not perfection, as the evolving threats in cybersecurity make it unrealistic for any organization to achieve a state of absolute security.

Conclusion

Prioritizing tools for security can easily lead businesses to undervalue the equally fundamental aspects of people, process, and simple cybersecurity hygiene. Organizations — especially those with less mature security teams — might feel compelled to invest in the most advanced detection products without considering if such investments correspond with their overall cyber risk and acceptable risk level.

To invest in security the right way, organizations should start by covering the basics, establishing comprehensive processes across all cybersecurity functions and ensuring that their strategy is in sync with the organization’s overall risk tolerance.