Small and medium-size businesses outsource a number of IT functions to improve operations and reduce costs. As they face growing data security threats—employee error or theft, cyber attacks, and more—it’s critical for SMBs to develop robust information security programs.
While it may not make financial sense for SMBs to bring a chief information security officer on board, the organizational need for this resource is clear. A surprising 77 percent of SMBs believe they’re safe from attacks, according to the Ponemon Institute. Yet SMBs are typically more vulnerable to breach risks than larger organizations because they often have valuable data, lack the technical or financial resources to adequately protect sensitive data, and are unaware of threats and security best practices.
There are a number of immediate, effective measures SMBs can take to fortify their information security, and they don’t have to be expensive:
1. Don’t confuse IT with information security. Understand the different and distinct roles IT and InfoSec play when securing data. It may be helpful to think of IT as designing and building the house, with InfoSec makes sure it meets fire code. IT often selects and implements technology so a business works efficiently, while InfoSec partners with IT to defend sensitive information from unauthorized access and use.
2. Find the right fit for your SMB. Identify the qualities your SMB needs in an information security officer. The CISO role is relatively new and constantly evolving to meet threats. Qualified candidates must have a strong technology background and the people skills needed to effect change in an organization’s security program. They must be able to communicate complex issues clearly and plainly, and often in charged situations such as the aftermath of a breach. Though reports show a 42 percent increase in information security analyst positions in the workforce, the demand for strong candidates continues to grow.
3. Consider working with a consultant that offers access to an on-call CISO. There is a significant shortage for talented candidates who can face today’s cyber threats, according to reports in USA Today and the Wall Street Journal. But SMBs may not need a full-time information security position on staff. A smart alternative to getting access to experienced, qualified professionals is to work with a consulting firm that can provide critical guidance and resources at a fraction of the cost.
CyberScout Consulting can provide flexible and affordable services to fill the void of a dedicated information security, compliance, data privacy, or information governance resource for a fraction of the cost of a fully staffed team.
Deena Coffman is chief executive officer of CyberScout Consulting.