In this article, we discuss how we have developed our Rapid Security Assessment (RSA) and GV.PO packages to specifically support SMEs in security assessment and optimization. We explain how we balance strategic alignment with technical implementation to provide practical solutions. We offer insights on how companies can realistically assess their security posture, derive targeted actions, and gradually strengthen their resilience. Additionally, we highlight how the NIST Cybersecurity Framework (CSF) works in practice, what has changed over the last ten years, which challenges particularly affect SMEs, and how our two packages provide concrete, adaptable support.

How to assess safety quickly and effectively with the NIST CSF

Ten years ago, we began using the NIST CSF as the foundation for our Rapid Security Assessment (RSA). Back then, the framework was primarily a tool for us to bring order to an often confusing world. Security requirements were becoming increasingly complex. Many organizations did not know where to start. The framework helped us to create a common understanding and identify specific gaps. Today, after many years of practical application, our approach to the framework has changed significantly. We no longer see it as a rigid grid, but as a modular structure that we adapt individually depending on the size of the company, sector and risk profile. This approach offers particular advantages for small and medium-sized companies. These companies rarely have comprehensive security resources at their disposal. They need pragmatic solutions that take effect quickly. Our approach deliberately avoids complex maturity models or lengthy audits. Instead, we rely on precise assessments, concrete recommendations for action and understandable language. The aim is to make security tangible and practicable, even without an in-house security department or many years of experience in the field of cybersecurity.

What is Rapid Security Assessments (RSA) and how does it work

Rapid Security Assessments (RSA) is an approach designed to quickly and precisely assess an organization’s security posture. The method is based on the NIST CSF and is deliberately structured to deliver actionable insights in a short time frame. The focus is not on technical details, but on the systematic assessment of risks. We combine structured interviews, document analysis, and targeted technical reviews. Rather than following a rigid checklist, we tailor our approach to the specific needs of each organization, using reduced or customized checks where appropriate to assess CSF controls. Our work with clients is highly collaborative. In workshops and discussions, we partner with the organization to determine which threats are truly relevant. Factors such as industry, business model, and the current threat landscape all play a significant role. Based on this, we produce a concise report with clearly prioritized recommendations. This provides organizations not only with a security inventory, but also a concrete foundation for informed decision-making. The Rapid Security Assessment helps organizations allocate limited resources effectively and invest where the greatest value can be achieved.

From framework to flexible tool

From the outset, we did not see the NIST CSF as a definitive model, but as a starting point. We were aware that no company fits completely into a predetermined grid. That’s why we expanded the approach early on so that it can be adapted to real business processes and company sizes. In practice, this means that we decide on a case-by-case basis which parts of the framework need to be examined in depth and where a rough classification is sufficient. Sometimes a name, a comment or the order of entries is enough to identify where more attention is needed. As a rule, a few specific questions are enough to recognize whether a topic is already well addressed or whether further measures are necessary. The goal is to make critical issues visible quickly so that the next steps can be prioritized without unnecessarily burdening internal resources. Our approach is customizable and is based on the actual complexity and requirements of the environment, whether it is a targeted assessment of an identity provider or a broader view of the entire infrastructure. We aligned ourselves with the NIST standards early on, which made the introduction of the NIST CSF an obvious step. In more complex scenarios, we use supplementary models such as the Secure Control Framework (SCF). This allows various standards such as ISO 27001, PCI-DSS or NIST 800-53 to be linked together. This creates a basis for organizations that not only need to improve security but also meet regulatory requirements. This flexible use of methods creates a holistic picture that takes equal account of technical, organizational and strategic aspects. This is exactly what our customers appreciate: A method that adapts, not the other way around.

What has changed in ten years

Cyber security today is fundamentally different from ten years ago. Back then, the focus was on virus protection, network segmentation, and access controls. Today, organizations face complex attack chains, industrial espionage, disinformation campaigns, and professionally organized attacker groups. The threat landscape has become more dynamic, global, and unpredictable. At the same time, management has recognized that cyber security is a strategic issue. It is no longer just about protecting individual systems, but about securing the foundation of the business. This shift is reflected in the frameworks. The NIST CSF, in its current version 2.0, has been expanded to include the Govern function, emphasizing that security is not only technical but also a management responsibility. The Govern function links strategic control with technical processes, offering a broader view of security management.

Simply protecting assets is no longer enough; leadership must actively define, manage, and evolve the direction of cybersecurity. Today, terms like NIST CSF, CIS, and SCF are standard in IT and compliance departments across industries. What once needed explanation is now basic knowledge. Other models, such as the CIS Controls, have also advanced. Now in version 8, they are more aligned with real attack scenarios and modern technologies. Their structure is more task-oriented, with implementation aids and maturity groupings that help organizations adopt them based on their size and capabilities. The SCF has gained prominence as an overarching standard. It acts as a meta-model that unites various standards and best practices, enabling a comprehensive view and bridging regulatory requirements like ISO 27001, NIST 800-53, SOC 2, and PCI DSS. This makes cybersecurity not only more controllable but also auditable. We observe that the Protect function is well established in many organizations, with measures like access controls, endpoint protection, and encryption. Meanwhile, investment is growing in the Identify and Detect functions, crucial for understanding risks, inventorying systems, and detecting threats early. Advanced capabilities like automated response, integration of cyber threat intelligence, and the anchoring of cybersecurity at management level are still in development at many companies. This gap represents both a challenge and an opportunity for targeted improvements.

What is still missing

Despite significant progress, weaknesses in implementation remain. Notably, the Govern function in the NIST CSF is frequently underestimated. Many organizations reduce it to writing policies, overlooking its role as the strategic engine of effective cybersecurity. Govern means not just documentation, but active control. It connects operational security to strategic goals, ensuring initiatives are aligned rather than isolated. In small and medium-sized companies, Govern is often misunderstood as a collection of policies filed away rather than a living link between management and technical teams. Similar to CP and CPS documents in a public key infrastructure, governance should not be seen as an endpoint but as an architecture that defines the foundation and direction of all activities. A well-defined governance framework ties business objectives to cybersecurity efforts, clarifies responsibilities, and drives continuous improvement through measurable, adaptable policies.

Industries such as banking, insurance, pharmaceuticals, automotive, and the military treat cybersecurity as a strategic asset and have stronger governance practices. In contrast, many smaller companies still see cybersecurity as merely an IT concern. They often lack the understanding that governance involves management ownership, clear responsibility structures, and regular evaluation of effectiveness. Without this overarching framework, many initiatives stall or get lost in technical details. Structured governance, however, creates clarity, builds trust towards stakeholders, and enables the sustainable development of the security strategy.

Not only large companies are affected

Cybersecurity risks no longer only impact international corporations or technology-driven companies. Small and medium-sized enterprises (SMEs) are increasingly becoming targets. The reason is simple: Large companies are investing heavily in security, making smaller, less protected organizations more attractive. Attackers are no longer only seeking data but also access points to leverage for further attacks. Also think about Supply Chain Security. The idea that being too small or uninteresting provides protection is outdated.

Pharmaceutical industry

The healthcare sector is one of the most affected industries. According to enisa, 76 percent of reported cyber incidents in the EU in 2021 involved medical institutions or research-based companies. These included web attacks, system intrusions, and human errors. Attackers typically target patient data, research results, or business secrets. In the pharmaceutical industry, where innovation is critical, a successful attack can have significant consequences. Companies must therefore not only upgrade their technology but also implement strong organizational safeguards. A key initiative at the European level is the European Health Data Space, launched in 2022 to strengthen the protection and governance of patient data.

Banks and insurance companies

The financial sector has also seen a rise in risk. Between January 2023 and June 2024, 488 publicly known incidents were recorded in Europe’s financial sector enisa. Legislators responded with the Digital Operational Resilience Act (DORA), passed in December 2022, aiming to harmonize the sector’s resilience across Europe. Insurance companies, banks, and financial service providers must now ensure they not only have effective security measures but can also quickly identify, report, and respond to incidents. These requirements make it clear: Security is no longer a competitive advantage — it is a basic prerequisite for operating.

SMEs in the EU

With the introduction of the NIS2 Directive, small and medium-sized enterprises are now also held more accountable. Coming into force in October 2024, the directive requires enhanced cyber resilience across all sectors, including SMEs. Although detailed data is limited, it is widely recognized that SMEs often face cybersecurity challenges due to limited resources. Depending on their sector and critical infrastructure relevance, they must meet similar requirements as large organizations. This includes structured risk management, clearly defined responsibilities, reporting obligations, and technical protection measures. For many SMEs, this represents both a challenge and an opportunity to improve their security strategies and ensure future readiness. To assist with this transition, the NIST CSF 2.0 Quick Start for SME provides practical, scalable guidance tailored to small and medium-sized organizations. Implementing the NIST Cybersecurity Framework 2.0 helps SMEs align with NIS2 requirements by promoting a modular approach to cybersecurity. It fosters a clear understanding of risks, defines responsibilities, structures compliance efforts, and encourages continuous improvement — all essential elements for fulfilling the NIS2 obligations.

Attackers are evolving, SMEs should too

In the early days of digital attacks, cybercriminals focused mainly on simple deception, identity theft, or quick financial gains. These attacks were often opportunistic, technically simple, and broadly targeted. Today, the situation is very different. Attackers operate in a much more structured, strategic, and professional way. They use targeted espionage, social engineering, technical sophistication, and automated vulnerability scans to attack precisely those systems that offer the greatest benefit. This increasingly applies to smaller companies as well. Where SMEs were once protected by their supposed insignificance, they are now attractive targets. Cybercriminals have shifted their focus to data theft, especially proprietary information and intellectual property. Sectors such as manufacturing, engineering, and specialized development services are particularly at risk. SMEs are increasingly seen as valuable entry points into larger ecosystems or as inadequately protected carriers of highly sensitive data.

Threat statistics show that cyberattacks in Europe increased by 57 percent between 2022 and 2023. Of these, 41 percent were phishing attacks, 40 percent were web-based attacks, and 39 percent involved generic malware. Moreover, 45 percent of incidents were linked to actors from China and 39 percent to actors from Russia, indicating a high degree of coordination and geopolitical motivation. At the same time, many SMEs lack the human and financial resources to establish robust protection. Unlike companies in pharmaceuticals, banking, or insurance, SMEs often lack both budget and specialist staff. This makes them particularly vulnerable despite facing the same risks. SMEs must evolve structurally, not just selectively. They need a realistic understanding of threats, targeted risk assessments, and prioritized protection measures. Success doesn’t depend on the most expensive tools, but on the right ones — cost-effective, strategically selected, properly configured, and continuously maintained. Combining technical defenses, organizational awareness, and focused governance can significantly reduce the attack surface and strengthen resilience over the long term.

Our services continue to evolve

In the past, many analyses were manual, time-consuming, and could take weeks. Today, with the right tools, what once took weeks can be completed much faster. We now use modern tools that accelerate, structure, and refine many tasks. These include automated scans, predefined rule sets, and AI-supported analysis tools. Platforms like OpenSCAP, for example, enable automated checks based on CIS benchmarks. Artificial intelligence now even helps draft initial versions of security guidelines. These technologies allow us to achieve faster and more accurate results, relieving pressure on our teams and delivering clear value to our customers.

A common question arises: Why seek external advice when modern tools automate so much? The answer is experience. Tools can process data, but they cannot recognize patterns with the depth of human experience. Our team brings more than 30 years of hands-on work across various technologies — from TCP/IP stacks on OS/2, Windows 3.11, AS400, and Novell, to SIEM development, containerization, software-defined networking, and cloud infrastructures.

We recognize mistakes quickly because we have made and solved them ourselves.

Knowing where to look and what really matters is the difference between merely doing a task and doing it right. It’s not just about using tools but about understanding the big picture, prioritizing weaknesses, and implementing measures in the correct order.

Conclusion

Cybersecurity has evolved considerably over the last ten years. The NIST CSF plays a central role in this by serving as a flexible, modular structure that can be customized according to organization size and risk profile. The introduction of governance functions into security strategies, as called for by the NIST CSF, shows that cybersecurity must be seen not just as a technical issue, but as a strategic corporate task. SMEs in particular benefit from pragmatic and quickly implementable security assessments such as those offered in the Rapid Security Assessments (RSA). Companies that not only rely on technical solutions, but also adapt their organizational and strategic orientation to the current threat situation, strengthen their resilience in the long term. The increased threat situation, especially from professionally organized attackers, shows that no company, no matter how large or small, can consider itself safe from cyber attacks. It is therefore important for companies to establish a robust governance model that integrates cybersecurity at all levels. This is supported by customized services such as the RSA package and the GV.PO package for SMEs. We look forward to advising you!

About the Authors

Michèle Trebo graduated from the ZHAW with a bachelor’s degree in computer science and a master’s degree in business informatics and worked for six years as a police officer in cybercrime investigation and analysis. She is responsible for research on criminalistic topics such as darknet, cyber threat intelligence, investigations and forensics. (ORCID 0000-0002-6968-8785)

Andrea Covello has been working in information security since the 1990s. His strengths are in engineering, specializing in Windows security, firewalling and advanced virtualization.

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
• https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space-regulation-ehds_en
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf
• https://vuldb.com/?cti
• https://www.enisa.europa.eu/publications
• https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023
• https://www.scip.ch/?labs.20161124
• https://www.scip.ch/?labs.20170216
• https://www.scip.ch/?labs.20211007
• https://www.scip.ch/?labs.20230406
• https://www.scip.ch/?labs.20240916