As part of our “C-Suite Accountability” theme, we explore why holding senior executives accountable is a necessary motivator in the prioritization, development, and adoption of cybersecurity initiatives across the small to medium-sized organization. In this post, our own Virtual CISO discusses the role in SMBs in an effort to remove barriers and highlight its necessity.
When I face objections about the Virtual CISO service from stakeholders at SMBs, it’s usually based on the (perceived) absence of need for the outcomes it drives. Maybe they don’t fully understand what those outcomes are? I also hear a lot of rationalization about why SMBs simply “don’t need me yet” even when they know the outcomes. Objections like these contribute to misinformation in the market and could deter somebody from getting a CISO when they really need one. Read on for the 5 reasons SMBs think they don’t need a CISO, and my rebuttals to each of them, as I defend the tremendous value of a CISO to any organization without one.
First, what outcomes does a CISO drive?
I’ve covered the role and responsibilities of a Virtual CISO before. The outcome it should be driving for you is “regulatory compliance”… which really means understanding where you are vulnerable from an information security perspective, and understanding what the law says you need to have in place to protect the privacy of your clients, partners, employees, and yourselves. Think about all this in the context of the risk of losing your intellectual property, your competitive advantage, or even your ability to operate.
With that context in mind, here are the five reasons that some SMBs incorrectly believe that they don’t need a CISO:
It has never been easier to access a pile of unqualified opinions about what you “should do” in any given situation. Isn’t that how most people make important decisions these days – by crowdsourcing from the under-informed and overly vocal? When I ask “Can I help you with the creation of a Data Retention Policy, that’ll keep you compliant from an industry regulation perspective, and secure from a data access perspective?” I’m often met with “Nah, that’s OK – I’ll just Google it.” I shouldn’t need to explain this, but one reason you choose a person is they can take the path that is right for your business specifically.
Does a random search result know your industry? Where you are based? The technology you use? Whether you have customers in other geographies? Whether your business is required to comply with other frameworks than the one you knew to look up?
There are perceptions out there that small businesses aren’t subject to regulations, or are too small to get hacked. Both of these are easily refuted. Regulations that came into effect recently that specify that your business must have a CISO - NYCRR 500 specifically, although GDPR requires a “data controller” which is similar. California’s Consumer Privacy Act does have exemptions for small businesses – but they only apply to organizations with less than 25 employees.
As for too small to be targeted, our whole business is centered around protecting small to medium-sized enterprises. Reports from last year substantiate this, with 53% of mid-market companies breached in 20181.
Let’s forget about data for a moment (sacrilege, I know) – what about your operation? Despite the name, it’s not only information that a CISO deals with. We help with architecture, with hardening your operation wherever data flows within. You may have engineers, and they can use the technology, and install it in your environment… but they don’t have a strategy. What happens when the ways your employees access data changes? Or when you gain a new international partner who needs to access this information to fulfill orders or invoices?
Another misperception is that unless you are actively mining user data from an application, or running a security company or law firm, that you don’t have sensitive information. The fact is that a lot of information is sensitive these days, including data that most companies have in abundance. If you’re selling something to consumers, and collect any information about them, chances are that you have personally identifiable information (PII). Or to businesses – transactional and firmographic data. If you have contracts, intellectual property, payment information, or even employee information (like Social Security or Social Insurance Numbers) they are all sensitive in different ways. Your business has information that must be secured. Period. It’s the organizations that aren’t aware of this that need the services of a CISO the most!
The misperception here is that the policies, processes, controls, and technologies required to comply with an audit (whether conducted by a partner, consultant, government or government supplier) can just happen instantly. Ok, maybe not instantly – but, surely, within the two weeks notice I have that I’m being audited…. right?!
While writing policies can be accomplished relatively quickly (especially if you’re really just stealing them from the internet), actually implementing the checks, balances, processes, and training to enforce them does not happen overnight. This type of procrastination can severely impact you when you are audited – ironic given that these frameworks are designed to mitigate risks.
This isn’t a chicken and the egg problem. A CISO doesn’t mean “a body to operate my cybersecurity technology.” This is the very person that could advise you to forgo the long path of buying security technology and outsource your security instead. This is the person who can help you assess what the need really is, before rushing to purchase a solution. This is the person who can qualify the risks your business is facing, and choose a solution that enables you to comply from a regulatory perspective, and be secure from a risk management perspective.
As you can see, these misperceptions contribute to the notion that SMBs aren’t subject to that overarching outcome a CISO drives – regulatory compliance. The fact is that the law, in various ways, covers every business, including small to medium-sized ones. If you would like greater clarity on why SMBs specifically stand to benefit from an engagement with one of our Virtual CISOs, don’t hesitate to reach out to ActZero. ActZero Managed Detection and Response clients have the option to access our Virtual CISO and Incident Response services, to secure the small to medium-sized business from all angles.
*Dark Reading, Under Attack: Over Half of SMBs Breached Last Year, 3/26/2019