The average cyberattack costs for a small- or medium-size business is more than $250,000. The salary for a chief information security officer (CISO) is about the same, pulling in between $250,000 and $400,000, according to the annual 2026 CISO Report from Sophos and Cybersecurity Ventures. Small- and medium-size businesses (SMBs) know they cannot afford the salary, so they roll the dice, hoping they will not be attacked. This is a dangerous gamble that these businesses, which make up the backbone of the American economy, should not have to take. A virtual (vCISO) or fractional CISO (fCISO) can provide a practical solution.

As the American economy goes digital, SMBs now rely on the same building blocks as big enterprises — cloud services, payment systems, remote access, customer data, and other third-party vendors.  But without senior cyber leadership, cybersecurity often becomes a patchwork of tools, checklists, insurance paperwork, and whatever guidance a vendor offers. That may get these companies through a questionnaire; it will not build real resilience. Nearly half, all reported cyber incidents, which is projected to cost the global economy $12.2 trillion annually by 2031, involve smaller firms.

The threat is growing in both size and sophistication. Adversaries are deploying AI to automate reconnaissance, develop malware, and run phishing campaigns at scale.  This reduces the cost and skill needed to target smaller firms at volume. Adversaries are also collecting encrypted data with the intent to decrypt it later when they have access to large enough quantum computers. SMBs in defense, healthcare, and financial supply chains often hold sensitive credentials that provide access into larger enterprise environments, but most are not prepared to adopt quantum-resistant encryption.

SMBs generally understand they face cyber risk. The real gap is leadership: someone who can turn technical vulnerabilities into business decisions, set priorities, brief executives, prepare for audits, and hold vendors accountable. For more SMBs, hiring a full-time CISO is financially unrealistic.

A Virtual CISO provides remote, on-demand cybersecurity leadership and advice, typically supporting several organizations at the same time. A fractional CISO is a dedicated, part-time executive who is more deeply integrated into one organization’s governance, security planning, and day-to-day operations. Both models give smaller organizations access to senior-level cybersecurity expertise in a flexible, more affordable way than hiring a full-time CISO.

Washington should make it easier for SMBs to hire fractional cybersecurity leaders, because the private market is not closing this gap on its own. The Cybersecurity and Infrastructure Security Agency (CISA) and the Small Business Administration (SBA) could help by publishing buyer guidance: vetted criteria for evaluating providers, example scopes of work and deliverables, and real-world case studies that show SMB owners what a high-quality vCISO or fCISO engagement should look like.

Clear guidance matters because many smaller firms cannot easily tell the difference between true cybersecurity leadership and a tool reseller, compliance-only consultant, or a generic managed services contract. Any vetted provider criteria should emphasize proven experience building and running security programs, independence from vendor incentives and product quotas, and the ability to tie security investment to real business risk, not just a list of certifications. Model scopes of work should also spell out the basics every engagement should deliver: an initial risk assessment, a prioritized remediation roadmap, and simple metrics that show whether security is improving over time. Without clear buyer criteria, federal efforts could end up funding low-quality services that add cost and paperwork without making companies safer.

The National Institute for Standards and Technology (NIST) should recognize these CISO models in its SMB-focused Cybersecurity Framework guidance. That would help smaller firms turn the framework’s Govern, Identify, Protect, Detect, Respond, and Recover functions into a clear, accountable leadership structure. This would make these roles less abstract: the point is not merely providing advice, but taking executive-level ownership of risk priorities, vendor oversight, incident readiness, and communication with the owner or board.

Congress and the Treasury Department should consider targeted tax incentives or credits for qualified cybersecurity leadership services, tied to measurable risk-reduction outcomes. Eligible activities could include completing a risk assessment, building a incident response plan, conducting vendor security reviews, running employee training, and producing a remediation roadmap. SMBs often defer cybersecurity because every dollar competes with payroll, inventory, and growth. A targeted incentive would make security leadership easier to justify as a business investment rather than an optional add-on.

Federal acquisition officials should require contractors that handle sensitive government data to show it has executive-level cybersecurity oversight, whether it is full-time, virtual, or fractional, and should extend that expectation down to relevant subcontractors and suppliers. This is necessary because SMBs serve as entry points into defense, healthcare, financial, and critical infrastructure supply chains.

Finally, CISA and the SBA should support vCISO- and fractional-CISO-led workforce training. Employees improve security when training comes with leadership, regular reinforcement, and clear accountability, not just annual awareness training. The aim is not to turn every SMB into a Fortune 500 security shop. It should be to give smaller firms access to the leadership they need before the next incident forces the issue.

Georgianna Shea, who is a Doctor of Computer Science, is chief technologist at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab, where Cason Smith served as a summer 2025 intern. Cason is studying integrated information technology at the University of South Carolina.

The post The missing cybersecurity leader in small business appeared first on CyberScoop.

To optimize management of CVE volume, entries that do not meet specific criteria will not be automatically enriched.

The post NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software appeared first on SecurityWeek.

The federal agency tasked with analyzing security vulnerabilities is overwhelmed as it and other authorities struggle to keep pace with a flood of defects that grows every year. The National Institute of Standards and Technology announced Wednesday that it has capitulated to that deluge and narrowed the priorities for its National Vulnerability Database.

NIST said it will only prioritize analysis for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, software used in the federal government and critical software defined under Executive Order 14028.

The federal agency’s goal with the change is to achieve long-term sustainability and stabilize the NVD program, which has encountered previous challenges, notably a funding lapse in early 2024 that forced NIST to temporarily stop providing key metadata for many vulnerabilities in the database.

The agency still hasn’t cleared a backlog of unenriched CVEs that built up during that pause and grew since then. 

NIST said it analyzed nearly 42,000 vulnerabilities last year, adding that CVE submissions surged 263% from 2020 to 2025. “We don’t expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year,” the agency said in a blog post announcing the change. 

Indeed, vulnerabilities are increasing across the board. For instance, Microsoft addressed 165 vulnerabilities Tuesday, its second-largest monthly batch of defects on record.

NIST said CVEs that don’t fit its more narrow criteria will still be listed in the NVD, but they won’t be automatically enriched with additional details. 

“This will allow us to focus on CVEs with the greatest potential for widespread impact,” the agency said. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”

Researchers and threat hunters who analyze vulnerabilities for CVE Numbering Authorities (CNA) and vendors that publish their own assessments view NIST’s new approach as inevitable.

“They had to do something. NIST was woefully behind on classifying CVEs and would likely never have caught up,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.

“I’m not sure if it was a herculean task or a sisyphean one, but either way, they were set up for failure under their previous system. This change allows them to prioritize their work,” he added.

NIST’s new approach will impact the vulnerability research community at large, but also put more private companies and organizations in a position to gain more authority as defenders seek out more alternative sources.

Caitlin Condon, vice president of security research at VulnCheck, previously told CyberScoop that prioritization remains a problem, with too many defenders paying attention to vulnerabilities that aren’t worth their time. 

Of the more than 40,000 newly published vulnerabilities that VulnCheck cataloged last year, only 1% of those defects, just 422, were exploited in the wild. 

NIST is also trying to reduce other duplicitous efforts with its new approach, effectively leaning even more on CNAs. CVEs that are submitted with a severity rating will no longer receive a separate CVSS score from NIST, the agency said. 

While the agency remains the ultimate authority providing a government-backed catalog of vulnerability assessments, it acknowledged these changes will affect its users.

“This risk-based approach is necessary to manage the current surge in CVE submissions while we work to align our efforts with the needs of the NVD community,” the agency said. “By evolving the NVD to meet today’s challenges, we can ensure that the database remains a reliable, sustainable and publicly available source of information about cybersecurity vulnerabilities.”

The post NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities appeared first on CyberScoop.

The Department of Health and Human Services unveiled a tool Thursday to help health care facilities assess their cybersecurity risks, elevating the emphasis on those threats to the kind produced by weather conditions and other dangers.

The assistance from HHS’s Administration for Strategic Preparedness and Response (ASPR) comes in the form of an update to the Risk Identification and Site Criticality (RISC) 2.0 Toolkit to include a specific focus on cybersecurity. 

RISC is a free tool to help organizations identify threats and vulnerabilities, estimate consequences and share their findings with others. Now it will include a cybersecurity module, too.

The module walks users through a series of questions and measures them against the influential National Institute for Standards and Technology Cybersecurity Framework 2.0, as well as HHS’s own voluntary cybersecurity performance goals.

John Knox, principal deputy assistant secretary at ASPR, said the change was a response to growing cyber threats.

“This module is the latest addition to our toolkit of resources to assist our health care and public health partners in preventing the disruption of patient care and strengthening national health security,” Knox said in a news release. “We must acknowledge that cyber safety is patient safety and that cyber threats can cause cascading problems across the health care industry. The new cybersecurity module will help our partners understand what is needed to strengthen their resilience and we strongly encourage them to take advantage of it.”

It continues an emphasis ASPR’s Charlee Hess discussed at CyberTalks last month, with the landmark Change Healthcare attack prompting the HHS division to look at ways to help organizations manage risk from third-party providers.

Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, said the creation of the cyber module was a “smart move,” with the RISC toolkit already being integrated into thousands of health care systems. He also liked the toolkit leaning on the NIST framework and HHS’s performance goals.

“By putting cyber side‑by‑side with other threats and hazards in a unified platform, RISC 2.0 can help hospital and health system leaders see cyber exposure in the same context as hurricanes, active shooters, or power failures,” he said in an emailed response to CyberScoop. “That visibility can drive more informed conversations at the executive and board levels about where to invest in cybersecurity, what gaps are most critical, and how cyber disruptions might cascade into real impacts on patient care.”

The post HHS updates a free risk tool to help hospitals size up their cybersecurity exposure appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency is hoping to guide federal agencies through the murky process of updating their technology stack with quantum-resistant encryption.

On Jan. 23, the agency released a list of different IT software and hardware products that are commonly purchased by the federal government and use cryptographic algorithms for encryption or authentication.

The guidance covers cloud services like Platform-as-a-Service and Infrastructure-as-a-Service, collaboration software, web software like browsers and servers, and endpoint security tools that provide full disk and at-rest data encryption.

CISA pointed to these products as examples where hardware and software post-quantum cryptography standards are “widely available” and designed “to protect sensitive information…including after the advent of a cryptographically relevant quantum computer (CRQC).”

Federal agencies and the private sector are preparing for the long-term threat posed by quantum computers, which many cryptographers believe will one day be able to break through some forms of classical encryption.

The federal government is currently operating under an executive order mandating that agencies shift most of their high value systems and devices to post-quantum encryption by 2035. Last year, the Trump administration held discussions with allies and quantum industry executives about a potential executive order that would further move up that timeline.

National security officials have cited concerns that foreign nations could be harvesting encrypted data now in the hopes of accessing them once a quantum codebreaking computer is developed. Industry executives have also pointed to lingering concerns around China’s burgeoning quantum industry as another factor making U.S. businesses and policymakers in Washington nervous.

However, the transition to quantum-resistant encryption protocols is expected to be a massive societal task, one that will require parallel collaboration and buy-in from not only from hardware and software vendors but also the constellation of standards bodies, protocols and backend processes that help transport data across the internet.

That reality can lead to an uneven procurement field for buyers, who are being pressed to purchase and implement post quantum encryption solutions today.

Alongside the more mature industries, CISA also listed a variety of other technologies – including networking hardware and software, Software-as-a-Service, security tools like password managers and intrusion detection systems –  as product categories where implementation and testing of PQC capabilities is “encouraged” by manufacturers.

Even the list of seemingly “PQC safe” technologies offered by CISA comes with a caveat: most have post-quantum standards in place for key encapsulation and key agreement, but not for digital signatures or authentication. 

Adopting newer post-quantum cryptography will also require redesigning much of the core backend infrastructure that encrypts our data across the internet. Major internet cryptographic protocols like Secure Shell Protocol (SSH) and Transport Layer Security have done some foundational work in this area.

But Surabhi Dahal of Encryption Consulting noted in September that “most protocols are still in the early stages, with proposals being drafted, prototypes being and testing underway to determine how quantum-safe methods can be integrated into existing systems.”

A 2024 study from the Department of Energy’s Pacific Northwest National Laboratory  looked at technical challenges associated with post-quantum migration in just one industrial sector: electric vehicle charging infrastructure. The study found companies faced numerous internal and external obstacles, including “interoperability concerns, the computational and memory demands of PQC algorithms, and the organizational readiness for such a transition.”

Roberta Faux, head of cryptography and field chief technology officer at Arqit, a firm that provides post-quantum encryption services, told CyberScoop that CISA’s guide “omits much” detail needed to credibly guide organizations as they navigate their post-quantum security options.

For instance, she said the document provides little to no insight on how to set up cryptographic inventories or timelines, what performance data should be used to measure tradeoffs, how CISA measures or defines what it means by “PQC-capable” or guidance on how to set up hybrid models.

The document “ends up feeling optimized for procurement compliance rather than security outcomes,” she said.

Peter Bentley, chief operating officer for Patero, another post-quantum encryption company, expressed similar sentiments, noting that “the hardest part isn’t selecting a post-quantum algorithm—it’s knowing where cryptography actually lives” because most organizations don’t have detailed inventories. 

“Without that visibility, and arguably developing a Cryptographic Discovery and Inventory best practice, ‘PQC-enabled’ becomes a marketing label instead of a verifiable capability, especially in hybrid or mixed-vendor environments,” Bentley said. 

Faux said CISA’s guidance also “concedes a weakness in today’s post-quantum transition,” namely that most vendor offerings labeled as “PQC-capable” really only address parts of the cryptographic process, leaving some functions like digital signatures and key establishment, with the same classical forms of encryption policymakers are trying to replace.

Cryptographic transitions, she said, are measured in decades, largely due to the time it takes to work out interoperability, performance and operational tradeoffs, with the result being “an extended period of half-measures.”

One footnote in the agency guidance acknowledges that two of the post-quantum algorithms approved by the National Institute for Standards and Technology, ML-DSA or SLH-DSA, currently lack production-ready support for implementation. Faux noted that “this is not a minor caveat.”

 “Key agreement without quantum-safe authentication provides limited protection,” she said. “An attacker can still forge certificates, impersonate endpoints, or conduct man-in-the-middle attacks, even if the session keys are quantum-resistant. In this context, ‘partial resistance’ is functionally equivalent to no resistance.”

The post CISA publishes a post-quantum shopping list for agencies. Security professionals aren’t sold appeared first on CyberScoop.

The National Institute for Standards and Technology is starting 2026 with a smaller staff, a shrinking budget and some big responsibilities around supporting national security and cybersecurity.

At a meeting Wednesday of the Information Security Privacy Advisory Board, NIST officials provided updates on how they’re grappling with several Trump administration priorities, including mandates on AI, cybersecurity and post-quantum encryption.

Kevin Stine, Director of the Information Technology Laboratory (ITL) at NIST, said the agency has shed more than 700 positions since Trump assumed office last year  through personnel initiatives like resignations, and voluntary deferments. His office, which focuses on IT measurements, testing, and standards, has a headcount of 289 and lost about 89 employees over the last year.

More constraints are on the way, as the latest “minibus” spending package from Congress would cut $13 million from NIST’s labs program, something Stine called “relatively good numbers” compared to other budget proposals he’d seen.

While Stine did not stump for more money or staff, he said the constraints have caused the office to reshuffle remaining resources on a narrower set of priorities.

“It’s forcing a very focused discussion on prioritization of our activities,” said Stine. “Certainly critical emerging technologies and anything aligned with the new NIST strategy, as well as administration priorities, are going to be top of the list and we will adequately resource those.”

NIST’s technical work testing and validating encryption for the federal government is also dealing with impacts from the staffing reductions.

Part of ITL’s mission involves jointly working with the Canadian Centre for Cybersecurity to validate the cryptography of commercial IT hardware and software purchased by their governments.

David Hawes, program manager for the program at NIST’s computer security division,  called this process “associatingly complex” because of how many different implementations and technologies testers must account for when validating encryption, but said in essence it was about establishing a baseline level of trust between vendors and the federal agencies buying their products.

“The way that we think of what our office does is: we’ve got a standard, we’ve got testing, we validate it,” said Hawes. “Can…federal government purchasers and users of these products, can they trust the cryptography? That’s what this is all about. Does it meet the standard? Can it be trusted with the information that’s there?”

Until recently, “a lot of the trust” in NIST’s validation process came from back-end human-led reviews after labs tested products. This approach “heavily required manpower” to sift through hundreds of pages of technical documents, certifications, non machine-searchable PDF files and other unstructured data. Hawes said in years past, this work was typically assigned to junior NIST staffers.

A review of the past 30 cryptographic validations performed by NIST found that it took an average of 348 days to complete each project. However, Hawes said the agency has reduced its backlog from nearly two years in 2020 to about six months today.

The ultimate goal is to reduce the validation process to “days.” Some of that work can be picked up through automation and other streamlined workflows, but Hawes suggested that could be difficult under current staffing numbers.

“I would say [our progress to date] was in spite of the loss,” he said. “We’d be a lot better off in terms of the queue lane now had we not lost the people recently that we did.”

The federal government is shifting its IT from older, classical encryption to newer “quantum-resistant” algorithms meant to protect federal systems and devices from cyberattacks enabled by a quantum computer in the future. As agencies work to identify and replace encryption protecting their most sensitive assets, they also face a deadline: older encryption applications, like RSA, are set to be formally deprecated by 2030.

Hawes said NIST is preparing to support that effort and tested its first post-quantum cryptographic module in recent weeks. However, solving the backlog, he suggested, was the fastest way to provide that help.

“I would say collectively our approach is…getting post-quantum modules validated sooner,” said Hawes. “So get the queue down, get them in, get them through.”

The post NIST officials detail impact of staff cuts on encryption and other priorities appeared first on CyberScoop.