This document outlines an actionable approach to implementing effective cyber security programs in mid-market firms, emphasizing the importance of an 'inside/out' strategy that starts with risk analysis rather than a prescriptive 'outside/in' framework. It advocates for tailoring security controls based on business context and risk profile, allowing organizations to allocate resources more effectively and mitigate compliance risks. The document concludes by stressing the need for a thorough gap analysis and a game plan for ongoing program maturity to enhance security efforts.

1. “Cyber Security Program Realization in the Mid-Market”
Executive Summary
6/18/18
By: Steve Leventhal, CRISC
781.953.5106
All views expressed here are my own

2. Purpose
Mid-market firms comprise approximately one third of the US economy according to the U.S. Census
Bureau. The purpose of this paper is to outline a logical, practical, and actionable approach to effective
cyber security program realization in the mid-market ($100M - $3B in revenue).
The Traditional Approach – “Outside/In”
Many mid-sized organizations (and larger enterprises as well) operate their security programs in a
reactive, ad hoc manner, implementing point solutions as issues arise, or as awareness of potential
threats are uncovered.
A more proactive approach typically starts with implementation of controls against a commonly
accepted security program framework (such as NIST, ISO, CIS Top 20, etc.), or against a compliance or
regulatory framework (such as PCI DSS, HIPAA, etc.).
With an “Outside/In” approach, these frameworks are implemented prescriptively with little attention
paid to business context. Risk is factored in once the organization’s program matures beyond the
foundational stage.
Exhibit 1. - Outside/In Approach
The problem with an “Outside/In” approach is that the lack of business context at the early stages of the
effort overlooks key factors that are either unique to the organization or aligned to its risk profile,
appetite and tolerance.

3. An Inside/Out Approach
An “Inside/Out” approach starts with risk. Critical organizational assets (“Crown Jewels”) are identified,
along with prospective threats against those assets. Likelihood of attack should be calculated
quantitatively as an estimated number of events occurring over a stated duration of time (i.e. per
month, per year, etc.). Impact should be calculated as a potential loss of dollars as a result of each
successful attack. A risk informed view is then available to executive leadership, helping to facilitate
decisions on the required intensity level of controls to best protect critical assets.
From here, organizations can then focus more broadly on the controls that defend against the most
common and potentially damaging attacks faced by similar organizations. These controls
(foundational/compliance/regulatory) help limit the likelihood of attack, further reduce business risks,
and demonstrate due care to customers and business partners via adherence to best practices.
For organizations that operate in a compliance or regulatory based environment, adherence to
compliance frameworks will also reduce or eliminate the risk of compliance/regulatory fines and
penalties. For organizations that are not required to adhere to any specific compliance or regulatory
framework, foundational controls such as the CIS Top 20 are a sound option.
Selection and implementation of these foundational/compliance/regulatory controls should not be done
in a vacuum. By consistently keeping an eye towards risk and business context, these controls can
continue to add defense layers around assets of highest importance.
Further, when implemented properly, risk-based protections can act as compensating controls, often
mitigating the need for certain compliance-based control requirements.
Exhibit 2. – Inside/Out Approach

4. Reference Architectures (First Baseline, Then Right Size)
Cyber security frameworks are sets of controls that should be leveraged as a starting point for
discussion. These frameworks should be chosen according to relevance to the business and the industry
in which it operates. Options include:
1. Industry specific compliance/ regulatory standards (i.e. PCI for the Retail Industry, HIPAA for
Healthcare, FFIEC for financial service providers, DFARS for Defense Sector, various state
regulations for the Insurance industry such as NYDFS, NERC CIP in the Energy sector etc.)
2. Industry neutral, generally accepted frameworks (i.e. NIST, ISO, etc.)
3. A combination of general and compliance/regulatory frameworks
Reference architectures should layer high level context onto the frameworks by providing general
recommendations for control intensity based on factors such as industry vertical, company size (revenue
and/employee count), and program maturity.
These baseline control intensity recommendations must then be further tailored to meet client specific
needs. This right sizing effort is accomplished through practical discussions with key organizational
personnel (including C level and support staff).
The understanding here is not that every control must be implemented with the same level of intensity.
Instead, certain controls (based on business context and risk) will require additional rigor and resources.
Other controls, while important, may be implemented with less rigor, in a less costly manner (i.e. using
open source tools, using standardized processes, etc.).
Exhibit 3. Sample Control Intensity Mapping

5. Required Supporting Resources
The next step after identifying risk, choosing a framework, and determining required control intensity is
determining the resources (people, process, and technology) needed to implement and operationalize
the controls at the desired intensity level.
This allows the organization to understand the full cost of their security program and provide
quantitative data for ongoing risk analysis (i.e. full cost of control implementation and operation vs. the
associated risk it is designed to mitigate).
The Reference Architecture should provide general resource recommendations, but additional efforts
should be conducted to further right size the road map.
Exhibit 4. Sample Resource Map (Partial Mapping for Conceptual Demonstration Purposes)

6. Gap Analysis
Once the program roadmap is identified, a gap analysis should be conducted to identify and document
which controls and supporting resources are currently in place, and which are lacking in comparison to
the desired future state. Deeper dive engagements can also be conducted to determine control efficacy
and efficiency if applicable.
Program Maturity
Upon completion of the gap assessment and analysis, a game plan for program implementation and
ongoing maturity should be developed. This process should include an evaluation of the options and
impact of different control aspects under consideration (i.e. the cost of an automation tool vs. the cost
of additional employees that would otherwise be required to accomplish the desired control intensity,
etc.).
The maturity game plan includes timelines and budget requirements to implement and operationalize
the identified controls and support components (including internal processes and procedures,
prospective technology vendors and tools, full time staff and staff augmentation needs, managed
services, and consulting resources).
Summary
“Framework First” approaches (i.e. “Outside/In”) lack business context, overlooking key factors such as
risk profile, appetite, or tolerance.
Overlaying business and risk context on top of the framework (i.e. “Inside/Out” Approach) allows
organizations to better determine the appropriate intensity level of each control.
Once desired control intensity is identified, the people, process, and technology resources required to
implement and operationalize the security controls can be mapped.
This effort will better enable mid-market organizations’ executive leadership to allocate resources, right
size their program plans, and take action towards more meaningful security program efforts.