NIST CSF for small teams.
NIST's Cybersecurity Framework sounds intimidating. Stripped down for small businesses, it's six plain-English functions you can audit yourself.
The NIST Cybersecurity Framework (CSF) is the most widely-used security framework in the US. Version 2.0 added a "Govern" function, making it six total. For a small business, you can use it as a mental checklist — not a compliance beast — to see where you're strong and where you're exposed.
The six functions, in plain English
- Govern: someone owns security and decides policy. Not 'the IT guy' alone.
- Identify: you know what you have — users, devices, data, vendors, SaaS.
- Protect: controls in place — MFA, backups, training, access control.
- Detect: you'd notice if something bad happened — EDR, monitoring, alerts.
- Respond: you have a plan for when something goes wrong.
- Recover: you can get back to normal — backups, comms, lessons learned.
How to use it as a small business
For each of the six functions, ask yourself: where are we? Strong, okay, or missing? Most small businesses are strong on Protect (everyone buys antivirus) and weak on Detect (no one watches logs) and Recover (backups that haven't been tested). Naming the gap is the start of fixing it.
Where this helps in real life
“A firm applying for cyber insurance used the six-function self-assessment to prep.”
Red flag: Exposed that 'Detect' was completely unaddressed. Led to deploying EDR and SIEM alerts before the application. Lower premium, broader coverage.
“A growing firm used NIST CSF to structure a conversation with their board about security investment.”
Red flag: Board understood "we're strong on 4 of 6" much better than any technical deck. Investment approved the same meeting.
We run NIST CSF self-assessments.
A two-hour session produces a one-page report of where you are on each function. Useful for boards, insurers, and your own planning.
- 1Walk the six functions with your leadership this quarter. 30 minutes is enough.
- 2Rate each one: strong, okay, missing. Be honest.
- 3Pick the two weakest functions and put a plan against each.
- 4Use the framework to structure conversations with your board, insurer, or clients.
- 5Reassess every 12 months — your business grows, the framework keeps pace.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
HIPAA basics for small teams.
You don't need a compliance department to run a HIPAA-aware practice. Five controls handle most of what regulators actually care about.
ReadTip #27 · CompliancePCI basics for accepting cards.
You don't need a CISO to handle PCI compliantly. Five practical habits cover most of what small businesses accepting cards actually need.
Read