Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 3: Talking Security For SMB's with NIST expert Daniel Eliot
21 Plays6 months ago
In this episode of In The ChatRoom, we explore cybersecurity essentials for small and medium-sized businesses (SMBs). Host Matthew Bauer interviews NIST expert Daniel Eliot to discuss actionable strategies for protecting your business against cyber threats. Daniel shares insights into the NIST Cybersecurity Framework, best practices for SMBs, and the importance of proactive security measures in today's digital landscape.Whether you're an IT leader, business owner, or simply security-conscious, this episode provides clear, practical advice on implementing cybersecurity standards to safeguard your operations. Tune in to learn how NIST guidelines can help fortify your business and reduce cyber risks.Keywords: SMB cybersecurity, NIST Cybersecurity Framework, small business security, Daniel Eliot, cybersecurity best practices, IT security for SMBs, protecting your business, cyber threat prevention, BetterWorld Technology.CTA: Don't miss out on essential cybersecurity advice — subscribe to In The ChatRoom and stay ahead of threats!
Recommended
Transcript
Series Overview
00:00:09
Speaker
Welcome to Better World Technologies in the Chat Room. In the Chat Room is a dynamic interview series where industry leaders, innovators, and experts gather to share their insights on ever-evolving landscape of technology and business. Each episode dives into compelling conversations with thought leaders across cybersecurity, compliance, sustainability, and IT management.
00:00:32
Speaker
offering executives and business professionals an inside look at trends, challenges, and actionable strategies that drive success in today's digital first world.
Guest Introduction: Daniel Elliott
00:00:42
Speaker
I'm your host, Matt Bauer, co-founder and director of Better World Technology, and we're excited to have in the chat room with us today, Daniel Elliott, who is lead for small business engagement in the Applied Cybersecurity Division at the National Institute of Standards and Technology, which most of us know as NIST. Welcome, Daniel.
00:01:02
Speaker
Thanks so much for having me. All right, Daniel, let's start with your background and your position at NIST. Fill us in on who you are and your day to day focus and how you got to where you are.
00:01:15
Speaker
Yeah, so I am the, as you said, the lead for small business engagement at NIST within the Applied Cybersecurity Division. So, you know, I coordinate across NIST, across government and outside of government to really create opportunities for the small business community to engage with NIST guidance, our resources, and our subject matter expertise. And so I've been with NIST for a little over a year now. But prior to NIST, I worked in MITRE at the Center for Securing the Homeland, which supported a NIST facility, the National Security Center of Excellence. And before that, I was the lead for small business
00:02:02
Speaker
at small business engagement and are open partnership engagement with the National Cybersecurity Alliance, and have done all sorts of small business related work um throughout my career, worked at the University of Delaware and their small business development center. And so mo the bulk of my career has been focused on small businesses, supporting them, helping them grow,
00:02:30
Speaker
and a major component of that has been helping them grow with security in mind in particular. and So I'm happy to be able to kind of continue doing that at NIST, leveraging all the great resources and expertise and hopefully adding some new content and support and resources as well.
00:02:49
Speaker
Awesome. Well, let's take a ah step back for our audience members who might not be familiar with NIST. You know, what does NIST do? And then in the focus of your area of small business and cybersecurity and your focus there.
NIST's Role and Structure
00:03:06
Speaker
Yeah. So the National Institute of Standards and Technology or NIST is part of the Bureau within the Department of Commerce.
00:03:14
Speaker
um And the mission of NIST is to promote U.S. innovation and industrial competitiveness. And we do that by enhancing measurement science, standards and technology in ways that enhance economic security.
00:03:33
Speaker
and improve our quality of life. So we have programs focused on national priorities such as artificial intelligence, advanced manufacturing, the digital economy, precision metrology, quantum science, biosciences, and of course cyber security. So NIST is vast in the amount of work that they do.
00:03:54
Speaker
And we're organized, all of that work is organized into six different lab research laboratories. And so I'm within the Applied, i mean I'm within the Information Technology Laboratory. um And below that, I'm within the Applied c Security Division within the Information Technology Laboratory. And we really focus on cultivating trust in information technology,
00:04:21
Speaker
and metrology and so we do that using world class measurement and testing facilities and encompassing a wide range of areas of computer science and mathematics and statistics and systems engineering and in collaboration with stakeholders from all around the world in order to have high quality independent and unbiased research and standards and data for not only the business community but for the government and for all consumers of information technology for that matter.
Understanding Small Businesses
00:04:58
Speaker
So let's let's classify
00:05:01
Speaker
How do you classify a small business and and let's kind of dive into the work that you're doing, maybe touch on the Small Business Cybersecurity Act and CSF 2.0, giving some some details around that. but know i use the I don't want to redefine small business because the US Small Business Administration does that for us. Small Business Administration generally defines a small business as fewer than 500 employees.
00:05:31
Speaker
The majority of those, though, are not 500 employees. The majority, actually over 80% of the small businesses um documented by the SBA are non-employer, so it's just the single owner operator, no employees, no paid employees on payroll.
00:05:51
Speaker
And then after that, you know a significant majority is micro-business with fewer than 10 employees. So when I look at small business from NIST's perspective, I'm really looking at that micro-business of 10 or fewer employees since that encompasses a significant portion of the small business community. And that portion is often significantly under-resourced when it comes to cybersecurity in particular.
00:06:21
Speaker
And so that's why I try to, that's the audience I'm trying to target with some of our outreach.
Cybersecurity Resources for Small Businesses
00:06:27
Speaker
Now there are are essentially two acts, congressional acts that tasked NIST with providing outreach and education to the nation's small business community. So there's the Cybersecurity Enhancement Act of 2014 and the NIST Small Business Cybersecurity Act of 2018.
00:06:50
Speaker
And essentially, both direct NIST to disseminate cybersecurity technical standards and best practices that small businesses may use to volunt may use voluntarily.
00:07:05
Speaker
ah to help identify, assess, manage, and reduce their cybersecurity risks. And I say voluntarily, that's important because NIST is a non-regulatory agency, right? So all of our standards and frameworks are voluntary for use. And you know what this Small Business Security Act of 2018, in particular,
00:07:30
Speaker
They tasked NIST with, um again, helping small businesses identify SES and manage and reduce their cybersecurity risks. And producing resources that are technology neutral, so we're, of course, not saying, hey, use this service or this technology. They're based on international standards, which all of our work is based on international standards, um or is informed by international standards, I should say.
00:07:57
Speaker
um that they vary with the nature and size of the business. Again you can't have a one-size-fits-all resource because businesses have varying regulatory environments and resource constraints and all sorts of different things and so a one-size-fits-all doesn't work for any kind of organization. And then the resources have to be kind of diverse and so one of the outcomes of the Small Business Cybersecurity Act was our NIST Small Business Cybersecurity Corner website, which was published in 2018. And it's really a hub of all of NIST's Small Business Cybersecurity resources. There are like 70 resources on the site, all tailored to small business.
00:08:46
Speaker
include short videos and tip sheets and case studies and quick start guides. They're all free and they're all drawn from information produced by not only NIST, but other federal agencies like FBI, the Secretary of Security and Infrastructure Security Agency, sit up SBA, as well as nonprofit organizations. And so they're regularly updated and expanded to keep the content fresh.
00:09:13
Speaker
And so you know I encourage organizations that are looking for small business cybersecurity resources to check out the NIST Small Business Cybersecurity Corner website because it really houses a lot of information that not only can you use to manage or reduce your own cybersecurity risks,
00:09:35
Speaker
But you can use it in your employee training, for instance. A lot of people email us saying, hey, can we have do you have resources to use for our employee training or security awareness training? It's like, well, yeah. You can go to this website and use any of these for free in your own training. So it's a great resource, and we encourage people to check it out, definitely.
00:09:54
Speaker
Awesome. And and so ah the CSF 2.0 is published in February. Tell us more about the cybersecurity framework, the you know these quick start guides and resources that you were just mentioning that you have on your site. What are the resources released around that? What are the impacts of that or the opportunities around CSF2?
00:10:13
Speaker
And what is it?
Introduction to CSF 2.0 Framework
00:10:14
Speaker
you know Yeah, so the CSF, so the cybersecurity framework, 2.0, like you said, it was it was published, I think, February 26, this year. And CSF, we don't look at it as just a publication. CSF 2.0 is a collection of resources that helps organizations, regardless of size or sector or maturity,
00:10:41
Speaker
better understand, assess, prioritize, and communicate their cybersecurity efforts across the enterprise. And so the CSF is a collection of security outcomes that one may strive to achieve to manage their cybersecurity risks. And again, I'm going to sound like a broke record, but due to the diversity of organizations and missions and regulatory environments and resources, it's not a one-size-fits-all either, right? It's flexible.
00:11:10
Speaker
to help organizations of different types approach managing cybersecurity risks. And so what I said, it's not just a single publication, it's a collection of resources. You know, you mentioned Quick Start Guides. We released, along with the cybersecurity framework in February, a whole host of Quick Start Guides to help organizations kind of engage better with the content of the CSF. So there's one on cybersecurity supply chain risk management. There's one on enterprise risk management. Again, helping you kind of contextualize these topics within the CSF. One that I specifically offer is the small business quick start value.
00:11:55
Speaker
And that's really, it can be looked at as a primer or an on-ramp to the CSF 2.0 for smaller organizations. There was a clear desire for mist or by industry for NIST to create a small business focused cybersecurity framework of resource. um And it really provides those who have modest or no cybersecurity plans in place with considerations to kickstart their cybersecurity risk management strategy using the NIST cybersecurity framework.
00:12:26
Speaker
Now beyond quick start guides, I mean, this could be a whole podcast in itself. There are, they were released implementation examples, which is new. um And these are more granular. So we kind of start broadly with functions like govern, identify, protect. And then as you move through the framework, the content, the outcomes get more granular. And the most granular part of the framework are these implementation examples that illustrate ways to achieve each of these outcomes. They're not exhaustive. They're just some suggestions to get people thinking about ways to start achieving these outcomes. And those implementation examples really fed the content of that small business quick start.
00:13:11
Speaker
There's also community profiles. There are mapping tools. For instance, if you want to see kind of the changes between CSF 1.1 and 2.0, there's a spreadsheet, a transition spreadsheet where you can see the changes that were made um to help aid in your transition
Importance of Cybersecurity in Business Operations
00:13:30
Speaker
between the two versions. And so a ton of resources. I haven't even scratched the surface of them, but those are some of the highlights.
00:13:38
Speaker
Awesome. And we'll come back to that and how folks can ah find all these resources and, you know, I guess sort of starting to kind of bring it home, ask a big question here. You know, we're seeing it offering services to, you know, the the group that you're speaking to which are small to small business up to 500 and we're hearing this you know what was what won't happen to me or I'm too small or you know what what it made you know the the realities of cyber security now are really impacting everyone and something everybody needs to pay attention to you know so looking into your crystal ball you know
00:14:19
Speaker
what what what things are coming on the horizon from this, but also the realities for small businesses and all businesses really in terms of this becoming a, you know, standard ah part of doing business, right? is You're going to have to be addressing this in months, years, whatever it may be. It's it's it's on the way and it's when you become part of what what you have to deal with.
00:14:43
Speaker
Very few businesses are using paper and pencil to run their entire business, right? Let's be real. The majority of businesses, if not, maybe we could say all, are using the internet in some form or fashion to operate their business. And so with that comes risk. With comes cybersecurity risk. And so you're right. It is the nature of running a business today. It is inherent. And you got to think that It's not only operating your business in the risks that kind of opposed to your business, same security risks that opposed your business, but you have to think about, you're doing business with other businesses, right? And what are the risks that you could introduce to those businesses? So there are a lot of, ah speaking of supply chain, a lot of pressure coming onto businesses from their suppliers or their customers or their regulators, all saying, you need to take cybersecurity seriously.
00:15:40
Speaker
um And so it is a matter of doing business, and it's incorporating cybersecurity into your overall risk management for your business ah in order to keep your business resilient and upright in the face of various dangers or risks.
Future Plans and Opportunities for Input
00:15:57
Speaker
Now, what's coming from this, you know,
00:16:00
Speaker
There are some additional resources that will be published in fiscal year 25 coming out. I'm hoping to do a quick start guide for special publication 800-171, which is protecting confidential ah controlled unclassified information. There's also, you know, we're working on other quick start guides for the side registry framework. We're looking at publishing the ah doing a a revision of the NIST IR 7621, which is the NIST's Small Business Information Security Fundamentals publication. So we'll be issuing ah a new version, a very, very different version of that coming out. And so there are some new resources that are becoming
00:16:50
Speaker
But we'll continue to engage the small business community in all of our communities of interest that we have, um that you can access via our small business cybersecurity corner website, our distribution list that people can sign up for to receive notifications about all of our small business efforts. We have webinars that will be coming out in 2025, a continuation of our webinar series from last year that we launched. And so a lot of ways to kind of stay abreast of what we're doing and what we're producing, and also not only just kind of consuming information from us, but also ways to provide input to us.
00:17:30
Speaker
I want to hear from small businesses. That's why why you and I met because I was out in Colorado, right? I was in Colorado engaging with subject matter experts in small businesses and I want to have those discussions. I want to hear from the small business community and those who support them so that NIST can continue to be impactful to this audience and with this community.
00:17:57
Speaker
Well, that feeds perfectly into my my last question, which is, how can the audience learn more? How can they interact with you and participate in all these great things you're talking about? Yeah, I think the best way is to join, again, one of our communities of interest. We have one for owners and operators and one for vendors and resource partners. They meet quarterly, so it isn't a huge pull of your time. Just meet quarterly for an hour.
00:18:25
Speaker
to hear from subject matter experts, or guest speakers, or to talk to each other, have candid discussions, and share input and challenges. and Also, just you can email us at smallmisscybersecurityatnes.gov if you have a question or an idea.
00:18:45
Speaker
There's also, again, you can subscribe via passive participant by subscribing to our listserv. And all of those can be accessed via our Miss Small Business Cybersecurity Corner website.
00:18:59
Speaker
Awesome. Well, Daniel, thank you. Really great to have you in the chat room and looking forward to working with you on down the road. And to our audience, thank you for watching in the chat room with Better World Technology. To dive deeper into our episodes and learn more, visit betterworldtechnology.com. Stay connected by subscribing to our YouTube channel for exclusive content, behind the scenes insights and more.
00:19:27
Speaker
And if you enjoyed this episode, be sure to follow us on Spotify and Telekali. Keep innovating, keep connecting, and we'll see you next time.