In the wake of my last post, over the past year I’ve found myself reflecting on how often I crash up against incompatabilities in existing cybersecurity frameworks when working with small businesses. The current status quo has not only persisted in the face of criticism for at least a decade, if anything it has gotten worse with the increased pressure from cyber insurers, big business customers, and governments - who have only grown more forceful in their insistence that their small business counterparts adopt the same bloated and resource intensive enterprise standards and best practices as they use.

Well, eventually I came to the conclusion that “someone” needed to create a new framework especially for small business, but the fact that it hasn’t happened yet meant that “someone” was evidently going to have to be me. So it was that I decided to create OpenCASE - the Open Cybersecurity Architecture for Small Enterprise. XKCD comic be damned.

“What about SMB1001?”, I can already hear some of you itching to interjet. I’m glad you asked. While SMB1001 started out promising, the people behind it have chose to persue a path of what I would politely call “aggresive commercialisation”. The standard is proprietary, costs a minimum of US$95 (cost goes up based on headcount), and protected by a draconian licensing agreement which basically threatens to sue the pants off anyone that shares it. You’ll notice if you search for details on the content of SMB1001, it’s hard to find anything of substance without paying the licensing fee. At best, you’ll find some third party articles from MSPs and the like talking about what sort of things it covers without going into any meaningful detail. That’s red flag #1.

On top of the licensing fee just to read the standard, organisations that want to be “certified” have to pay an annual fee to get their certification through the cybercert platform. This also starts at $95 and goes up depending on the level of certification. “What’s wrong with that?” you might ask. Well in principle nothing, except that for the bronze, silver, and gold tiers, the “certification” is really just an unverifyed self attestation. In other words, they’re making small businesses pay between $95 and $395 a year for a certificate which basically is the digital equivalent of “trust me bro”. In a third party assurance context, it has close to zero value. In my opinion, it’s pure opportunistic rent-seeking from a section of the business community that already has very little money to spend on cybersecurity. Every dollar they spend on things like this is a dollar that didn’t go towards training, managed/professional services, or a tool that would actually make a difference to their risk profile.

So how is OpenCASE different? Well for a start, it is open source - published under the Creative Commons Attribution-ShareAlike 4.0 International Public License. That’s a fancy way of saying it’s free to use and you can create derivative works based on it but you have to release them under the same terms. The content of the framework is published primarily through a git-based source code repository, allowing anyone to contribute or submit feedback via issues.

OpenCASE is structured as a list of 11 priorities, each with 3 different implemenetation levels targeted for organisations with differing levels of capability and maturity. Functionally, it works like a sequential to-do list of 33 controls, all designed to be achievable with the time and resources available to typical small businesses - and I mean SMALL, not small-to-medium. OpenCASE isn’t meant to be comprehensive or the end of the line… for organisations which complete the whole list, I’ve recommended graduating to more robust frameworks like the CIS controls.

OpenCASE also includes its own self-attestation method and badges. Yes I was just dissing them as essentially worthless just a few paragraphs above - but at least these ones won’t set you back several hundred bucks. They also provide a more granular view of organisational security posture, so can be used to show a more varied current state if some priorities have

Anyway, I won’t bother regurgitating everything I’ve already written over on the OpenCASE site. Go check it out, and if you have feedback, be sure to log an issue on the repo with your suggestions on how the framework can be improved.