One of the most frequent questions I’m asked is:

“What does reasonable cybersecurity look like?”

To be honest, my answer is usually:

“Don’t take my word for it.”


So what?

I recommend that you don’t rely on the opinion of any one individual or company to tell you what ‘reasonable’ looks like.

Instead, I suggest you use a recognised industry framework / standard / benchmark / guidance to guide you.


So what to do?

If you’re in a smaller business and just need something to get your teeth into, I think the Global Security Alliance’s Cybersecurity Toolkit for Small Business is worth a look.

If you’re a regulated entity and need to identify a minimum baseline, look for ‘guidance’ (i.e. expectations) from your regulator. For example – If you’re a regulated financial services entity in Ireland, The Central Bank of Ireland’s Guidance is always a good place to start.

If these are not a good fit, there are many others – e.g. NCSC 12 Steps, Cyber Essentials, CIS Controls, NIST CSF, ISO 27000 to name just a few. Take a look and see if any suit.


PS I have used many of these with my clients over the years, and helped them to work with their IT providers to align to their selected reference point. If you want to discuss which one might suit you best, we can figure that out on a 30-min Cyber Sanity Call.


PPS I have developed a benchmark which I call ‘The Secure Foundation’, based on the core set of security defences mentioned in all of these. The Secure Foundation may not be everything you need, but every organisation needs a secure foundation.