Is NIST Too Complex for Small Businesses? Daniel Eliot Weighs In Artwork

Practical Cybersecurity with Jen Stone

Practical Cybersecurity, hosted by Jen Stone (MCIS, CISSP, CISA, QSA), is the bridge between complex security frameworks and real-world business implementation. Whether you are a "Jack of all trades" IT manager or a business leader with limited resources, this show provides the roadmap to a defensible security posture.

All Episodes

Practical Cybersecurity with Jen Stone

Is NIST Too Complex for Small Businesses? Daniel Eliot Weighs In

March 03, 2026 • SecurityMetrics • Season 1 • Episode 2

0:00 | 17:21

"I can’t think about cybersecurity this week; I’m thinking about 1099s."

You’re not alone. Many SMBs see the NIST Cybersecurity Framework (CSF) as an overwhelming manual for government contractors, not a local shop or startup.

Jen Stone sits down with Daniel Eliot, NIST’s lead for small business engagement. We break down the new NIST CSF 2.0 Small Business Quick Start Guide —a "small-chunk" resource designed for under-resourced organizations to move from chaos to a structured program.

In this episode:

Why having "everyone" responsible means "nobody" is.
How to build a "reasonable" security program while managing payroll and daily operations.
Why taking security seriously helps you win bigger contracts and scale safely.
The exact steps (MFA, patching, backups, and more) that even large orgs get wrong.

NIST Resources

NIST (National Institute of Standards and Technology): https://www.nist.gov/
Small Business Cybersecurity Corner: https://www.nist.gov/itl/smallbusinesscyber
NIST CSF 2.0 (Cybersecurity Framework): https://www.nist.gov/cyberframework
Small Business Quick Start Guide: https://www.nist.gov/publications/nist-cybersecurity-framework-20-small-business-quick-start-guide
Contact Daniel and his team: smallbizsecurity@nist.gov

Key Term Definitions

The 6 Functions: Govern, Identify, Protect, Detect, Respond, and Recover
MFA: Multi-Factor Authentication—essential for account access.
Patching: Updating software to fix security "holes."
MSP/MSSP: Local experts you can hire to manage IT security.

Timestamps

00:00 – Many hats of small business owners
00:26 – Daniel Eliot and NIST’s Mission
02:25 – Exploring the Small Business Cybersecurity Corner
03:20 – What is the NIST CSF?
04:26 – The Small Business Quick Start Guide for CSF 2.0
06:52 – How to Identify Your Most Critical Assets
09:56 – When to Seek Help: Engaging MSPs and Local Resources
10:52 – Defining a "Successful" Cybersecurity Program
13:21 – Essential Fundamentals: MFA, Patching, and Backups
15:35 – How to Engage Directly with NIST

Jen Stone (MCIS, CISSP, CISA, QSA) is a Principal Security Analyst at SecurityMetrics. With 25+ years in IT and 100+ high-level assessments, Jen specializes in making complex compliance actionable for businesses of all sizes. Outside of security, she is an aerial arts enthusiast and motorcycle rider.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/