An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
As small businesses have become more reliant upon data and technology to operate and scale a modern business, cybersecurity has become a fundamental risk that must be addressed alongside other business risks (e.g., financial risks, natural disasters, competitors). With the dynamic nature of cybersecurity, it takes constant vigilance and continuous improvement to effectively manage cybersecurity risks. As a business owner or operator, you might not be a cybersecurity expert. That’s OK. However, a key component of managing and reducing cybersecurity risks and integrating good cybersecurity practices throughout your organization is making sure you have a cybersecurity-ready team. The composition of this team will vary based upon your budget, current staff capabilities, risk level, cybersecurity or privacy requirements, etc., and can vary from a single in-house cybersecurity role (e.g., hiring new staff or upskilling existing), to an entire internal cybersecurity team, to external vendor or community support—or a mix of all the above.
For small businesses who are often confronted with limited resources, knowing how to get started and finding the necessary resources can be particularly challenging. Provided below are common questions, ideas, and resources for small businesses who are looking to start building their cybersecurity team. The page and provides ideas and resources for getting started. Additional resources and content will be added in the future.
Frequently Asked Questions
I recognize I need to address cybersecurity risks. Where can I begin?
I can’t afford to hire a dedicated staff member to focus on cybersecurity. What are some options?
Are there college or university programs that support small businesses with their cybersecurity?
I understand that everyone in my business can benefit from greater cybersecurity awareness. What are resources for providing cybersecurity awareness training to my staff?
I’m ready to hire a new employee to help meet my cybersecurity needs. How can I get started?
I’m not sure where to start. How do I choose from the options above?
A cybersecurity incident can be devastating to a small business and can negatively impact its ability to deliver goods and services, with effects cascading to customers, employees, business partners, and potentially the broader community. Establishing a strong cybersecurity culture creates a foundation from which to build a resilient business in the face of ever-increasing cybersecurity risks. No business, whether large or small, can prevent every cybersecurity incident from occurring. But it can implement a cybersecurity plan that will support business objectives. Before building out your cybersecurity team it is a good idea to first think about and document a few details, such as: how strong cybersecurity can enable you to operate a resilient business; what your legal, regulatory, and contractual cybersecurity obligations are; or what your high-value assets and critical dependencies are. To help you begin thinking about this, NIST has published the Cybersecurity Framework 2.0 Small Business Quick Start Guide. This guide provides small-to-medium-sized businesses, specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy by using the NIST Cybersecurity Framework (CSF) 2.0. Once you have the start of a plan in place, you will be able to make more informed decisions about how to go about building your cybersecurity team.
No one is an expert in every area of the business. Many small businesses outsource tax, intellectual property, or contractual work to accountants or lawyers. These are complex topics that require specialized training. Cybersecurity is the same. It is common for businesses of all sizes to provide opportunities to upskill or reskill existing staff to increase their cybersecurity acumen, or to outsource cybersecurity needs to third parties that specialize in these services. It’s OK if you don’t have the budget for a dedicated in-house cybersecurity expert. You still have options. Learn more about contracting and outsourcing, reskilling and upskilling, and work-based learning in the table below.
Contracting & Outsourcing
It is common for businesses of all sizes to outsource their cybersecurity needs to third parties that specialize in these services, but it’s especially common for small businesses who typically do not have the expertise, resources, or budget to hire in-house support. For many small businesses, contracting or outsourcing makes the most sense strategically. Here are a few considerations to be mindful of:
It is important to start with a clear list of cybersecurity outcomes you want to achieve with the service—such as meeting specific cybersecurity requirements or goals.
Read online reviews to see what the experience of other customers has been and to make sure that the provider can support your needs. Once you have narrowed down the list, you’ll want to request quotes from multiple vendors. Make sure that you don’t just focus on the cost—the quotes should help you learn about their experience working within your industry and supporting small businesses, as well as provide information about how they can help meet your specific legal, regulatory, or contractual requirements.
When you engage with a specific vendor, clearly understand and document the level of service, responsibilities, and expectations within a managed services agreement or other formal contract.
Recognize that even when you outsource some of your cybersecurity needs, you do not transfer your liability for protecting your business and your customers’ information. You are ultimately responsible for protecting your systems and data.
NICE Framework in Action: The NICE Workforce Framework for Cybersecurity (NICE Framework) describes cybersecurity work and capabilities, regardless of who is doing that work. You can use language from the framework to help you better understand your cybersecurity risks and goals and then clearly articulate the cybersecurity work you need performed – including what knowledge and skills are needed to complete that work.
Example:
Work Role: System Security Management
Description: Responsible for managing the cybersecurity of a program, organization, system, or enclave.
Upskilling or reskilling current employees (enhancing employees’ existing skills or helping them to acquire new skills) brings many benefits. An example would be upskilling existing IT staff with cybersecurity skills to make cybersecurity part of their responsibilities or upskilling software developers to equip them with the skills for secure code development as part of a secure software development lifecycle.
Existing staff understand your business mission and goals, as well as have experience with your individual systems and processes. There is already a culture fit, and focusing on upskilling or reskilling not only eliminates the need to onboard new staff but also provides existing staff with career development and growth opportunities. As a result, you can increase retention, maintain institutional knowledge, and focus on the specific skills and capabilities your business needs.
NICE Framework in Action: During Cybersecurity Awareness Month each year we celebrate Cybersecurity Career Week, a campaign to promote the discovery of cybersecurity careers and share resources that increase understanding of multiple learning pathways and credentials that lead to careers that are identified in the NICE Framework. Numerous events, activities, and resources are available for you to use, gathered from across the community and made available on the NICE website.
There are a variety of work-based learning (WBL) approaches that can help give your staff hands-on experience that translates to real-life capability. Student programs such as cybersecurity clinics, apprenticeships, and internships are covered in more depth in the section below, but these are not the only viable options for small businesses. Other approaches include job shadowing, either individually or on teams; job sharing; cyber ranges; or engaging the support or services of local colleges, universities, or economic development organizations. Resources like regional small business cybersecurity bootcamps, Small Business Development Centers, and APEX Accelerators can often be found directly or through your local Chamber of Commerce. Partnering with local communities to build programs to help stimulate the local or regional workforce can allow you to leverage additional resources and at times achieve greater outcomes.
NICE Framework in Action: The NICE Framework is a great resource to help you build your WBL program. You can use Work Roles to focus on particular areas of work in internships, identify specific Tasks to complete in a clinic, or select Knowledge and Skill statements that an apprenticeship will teach.
Cybersecurity is an attractive field to work in, and there are cybersecurity roles in nearly every industry. Add a large demand for cybersecurity workers today, and you can see why students are interested in pursuing a career in cybersecurity. One big hurdle into joining the profession, though, can be a lack of hands-on experience. As a small business, you can work with students from your local community to offer them an opportunity to gain that experience while addressing your own cybersecurity risk. The below table provides some ideas on how to do that.
Cybersecurity Clinics
Colleges and universities have long been a valuable resource for small businesses in their communities. Higher education, often with support from industry and government, has recently been addressing two critical questions in cybersecurity through an emerging network of cybersecurity clinics:
How can we bolster the cybersecurity posture of small, under-resourced organizations in our community?
How can we build a stronger cybersecurity workforce by providing students with valuable, hands-on learning experiences?
Through cybersecurity clinics, students work with faculty to provide no-cost cybersecurity services to small, under-resourced organizations—providing valuable workforce development experiences to students and important cybersecurity support to those organizations that need it the most.
There are also other college or university-led programs that are not considered “cybersecurity clinics,” but also provide cybersecurity support to small businesses in the form of student-led security operation centers (SOCs), professional services (such as Purdue University’s Cyber TAP program), and more. Explore what is available at the higher education institutions in your area.
NICE Framework in Action: Learning content that aligns with the NICE Framework serves as a common language to communicate with and support employer needs and describe learner capabilities. It can be mutually beneficial for small businesses to build relationships with local schools and economic development organizations to share your cybersecurity workforce challenges so that specific content that addresses those challenges can be incorporated into the courses and curriculum to help create a workforce that meets your specific needs.
Finding skilled cybersecurity talent is a critical and rapidly growing challenge for employers in every sector nationwide. Registered apprenticeship programs provide high-quality career pathways where employers can develop and prepare their future workforce, and individuals can obtain paid work experience with a mentor and receive progressive wage increases; structured on-the-job learning; and industry credentials. These programs often work closely with local schools (K-12 and higher education) to offer opportunities to students that allow credit towards completion of coursework while engaging in hands-on learning opportunities. Apprenticeship programs provide a proven, scalable method for building a steady pipeline of diverse, skilled talent that benefits everyone—career seekers, employers, and educators.
Apprentices are paid and receive benefits, and programs usually range from 1-3 years, often resulting in a hiring opportunity.
NICE Framework in Action: By providing a common language for learners, employers, and educators, the NICE Framework can be used as a tool for structuring apprenticeships that clearly identify Work Roles to identify learning needs and skills gaps, determine which competencies your program will focus on, and build work-based learning opportunities to help participants achieve goals. Tools like Cyberseek.org that use the NICE Framework can help participants better understand local cybersecurity workforce markets and identify career pathways.
Internships are typically short-term work experience offerings that provide individuals an opportunity to gain practical experience in a specific field. Internships are typically geared towards students or recent graduates to enable them to apply classroom learning in a real-world situation and can be targeted to multiple levels of experience to provide multiple opportunities for individuals interested in exploring new fields or careers. They often provide cohort experiences – either within an organization or with others in the same industry – and offer networking opportunities to help support participants and help them learn more about the field.
Internships can be paid (usually without benefits) or unpaid and may last only a few weeks to as long as a year. They are usually offered to coincide with academic schedules – e.g., for a semester, summer or school break, or academic year – and often work very closely with local schools. While apprenticeships are more defined and advanced work-based learning opportunities, internships provide introductory, broad exposure to the field. NICE Framework in Action: Just as the NICE Framework can be used in planning an apprenticeship program (see above), it can also be used when planning for interns. Use it to identify what Work Roles or Competency Areas an internship might focus on and what skills the intern may be able to build during their time with your business.
Most small businesses won’t have staff dedicated to providing cybersecurity awareness training, but there are many resources available to help make sure that this key activity isn’t overlooked. Regularly providing basic and advanced cybersecurity training to new and existing staff helps them understand the security risks associated with their work-related activities and the steps they can take to minimize those risks. You might also be required to provide a certain level of training to your staff based on regulatory, contractual, or legal requirements.
During Cybersecurity Awareness Month (celebrated each October) you can find numerous free resources, from webinars to online courses, learning materials, and toolkits – that can be used year-round. Content can often be customized to make it more relevant to your local environment – for instance, based on the systems that personnel have authorized access to, contextualized work environments (e.g., telework, shop floor), or tailored to specific jobs. Cybersecurity awareness doesn’t always have to complex, either; simple activities such as displaying posters with information on common risks, offering supplies inscribed with security reminders, and generating email advisories or notices from leadership can be very effective. Regularly conducting awareness events — such as a lunch-and-learn meetups, workshops, and even games — can help your staff be prepared.
NICE Framework in Action: The NICE workforce management guidebook, Cybersecurity is Everyone’s Job, outlines what individuals across an organization, regardless of type or size, can do to protect the organization. It is intended for a general audience, since all organizations must perform common, essential activities. It can be read as a complete guide, or by each business function as standalone guides.
Before you hire, you need to plan your hire. Resources like the NICE Employer’s Guide to Writing Effective Job Descriptions walks you through questions and provides you with templates to help you get started, from understanding your hiring ecosystem – the community, environment, and interconnections within your organization – to identifying your resources, job requirements, and conducting candidate assessments. You want to be sure to:
Clearly identify the work responsibilities and expected knowledge and skills. This includes a look at the required workplace – or “soft” skills – for this position.
Be realistic in your hiring process. What expertise will be needed on day one, and what can be learned on the job? Is your list of responsibilities reasonable in terms of workload as well as when compared to the salary and benefits you are offering?
Determine how you will assess the candidates. Do you have specific credentials or years of experience that need to be met, or are you willing to offer support to candidates who meet minimum qualifications but may need additional development? Will you have hands-on assessments or use other tools to determine capability?
Don’t forget that hiring is only the first step! You’ll want to also consider what continuous learning needs the position might require, how to support your new hire when they join your team (for instance, with mentoring), and what career growth opportunities this job might provide your hire in the long-term.
NICE Framework in Action: NICE Framework Work Roles define areas of responsibility and point to Task, Knowledge, and Skill (TKS) statements for each role—a perfect roadmap to help you pinpoint your specific job’s requirements. The NICE Employer’s Guide goes into detail about how to use the NICE Framework when hiring so that you will be equipped to author and communicate about position responsibilities and find the candidate that meets your goals. The framework also provides a great starting point to think about career pathways for long-term success.
There are quite a few options for you to consider in the content above. If you have very limited resources, a relatively simple information technology setup, and do not have significant legal, contractual, or regulatory cybersecurity requirements, you might start by taking advantage of a community resource, such as a cybersecurity clinic, to help you identify some of your biggest cybersecurity risks and areas for improvement. This could be a first step in helping you to identify if you might need additional support. If you have a more complex IT infrastructure, or have more demanding external cybersecurity requirements, you might consider hiring a cybersecurity vendor or upskilling existing IT staff (if you have them) to help you reduce your cybersecurity risks. All businesses are different, and you will have to take into account your own budget constraints, time, resources, and risks when deciding on how to build out your cybersecurity team.
A great place for all businesses, of any size, to start is with providing training opportunities to help all staff understand their role in protecting the business from cybersecurity risks. Building your cybersecurity team involves creating a culture of cybersecurity across the business, at every level.
What’s Next?
NIST’s NICE and small business teams will continue to update, refine, and add to this content. If you have input or resources that you think add to or complement this content, please submit to: smallbizsecurity [at] nist.gov (smallbizsecurity[at]nist[dot]gov).
Acknowledgements
Many thanks to participants of the 2025 NICE Conference and Expo pre-conference workshop on “Supporting Small Business Cybersecurity Through Learner-Centered Services and Experiences” and to the NIST Small Business Community of Interest members for their thoughtful feedback on this content.
Do you have a question that hasn’t been answered? Visit us at:
