top of page
Search

What is Cybersecurity for the Small to Medium size Organization?

  • Writer: Susan Sons
    Susan Sons
  • Jul 2
  • 4 min read

The vast majority of good cybersecurity work being done today is focused on the largest targets: federal agencies, militaries, and business giants such as the Fortune 1,000 and unicorn start-ups.  It was a natural fit: these organizations have big budgets, obvious threats, and (we hope) large, mature IT operations.  Unfortunately, the many challenges of these massive organizations have created dangerous myths around cybersecurity for every other organization:


  • We're too small to need cybersecurity.

  • If we meet our regulatory obligations, we're safe.

  • If we copy what the giant organizations are doing, we'll be extremely secure.

  • We can't afford to do what the giants are doing, so we can't do cybersecurity at all.

  • Our cyber insurance policy takes care of all of our cybersecurity risk.


Thanks to this thinking, we live in a world where 60% of small businesses that experience a cyber attack go out of business within 6 months. (Qualys).  Cyber insurance premiums for small businesses have increased by 40% in the past two years, due to increased risk.  Forbes reports that 1 in 5 small businesses could close due to ransomware in the coming year.  We couldn't find anyone tracking statistics for organizations bigger than the small business threshold, or which aren’t businesses, but are still within the world of small/medium organizations.


What the wide range of small-to-medium organizations have in common is the effect that scale has on their cybersecurity:

  • They can’t afford to “just throw money at it”.  The U.S. Government is estimated to be spending about 13 billion dollars on cybersecurity this year (and they still suffer many breaches).  Small-to-medium organizations have to understand where its limited cybersecurity budget will do the most good, and how to measure what is working and what isn’t, in order to get a worthwhile return on cybersecurity investments.

  • They face challenges in finding and retaining cybersecurity talent.  Much of the cybersecurity talent on the market is highly specialized: Alice does vulnerability scanning, Bob works with potential vendors to vet them and their products from a security perspective, Carol builds and runs cybersecurity programs, Dave does incident response.  However, smaller organizations can’t hire a full-time expert for each operational task.  They need to find generalists and find ways to help them advance their careers or lose them.  One option is to get a virtual cybersecurity team: a cybersecurity company hires, trains, and develops staff, enabling other organizations to access specialists and generalists alike in less-than-full-time commitments.


Their needs are disconnected from common standards.  Common cybersecurity standards, such as those found in NIST 800 series, were created for federal agencies or other extremely large organizations.  This guidance is often misleading for smaller organizations.  Following it without understanding and navigating the disconnect can lead to incredible waste, hobbling the effectiveness of a small organization’s cybersecurity.


How To Build Effective Cybersecurity In Small-to-Medium Organization


Make a commitment

Someday, we'll look at organizations shrugging off cybersecurity the same way we now look at 19th and 20th century factories who shrugged off worker safety.  Cybersecurity needs to be on leadership's plate if the organization is going to adapt to this new reality, the same way financial risk has always been.


This doesn't mean the CEO does cybersecurity, just like the CEO isn't also the company's accountant.  It means that the CEO works with the CISO (Chief Information Security Officer) to understand business risks, set a budget, and agree on a strategy.  The CEO holds the CISO accountable and keeps them aligned with the organization's overall strategy and priorities.  The CEO ensures that, if there is a board, there's a channel for them to learn from the CISO about the strategy, funding, and maturity of the cybersecurity program, as well as major risk factors.


Most importantly, the CEO sets a direction for others throughout the organization: just like managing our money and seeing to human safety aren't optional here, cybersecurity is not optional.


Understand Your Risks

Cybersecurity presents a set of existential risks to organizations today... but not the same risks to all organizations.  A good CISO crafts cybersecurity strategy to support the business mission, and makes smart trade-offs based on the needs, risks, and resources of a particular organization.


Employ Checks and Balances

Your Chief Operating Officer (or equivalent) is rewarded by the organization by building more/faster/better.  Your Chief Financial Officer (or equivalent) balances that person out by keeping financial risks in check and ensuring that the CEO/President/Board can make informed risk decisions.  That's how it should be.


Unfortunately, most organizations don't take advantage of the ability for cybersecurity to provide a check against technology risks broadly.  They see cybersecurity as "technology stuff" and bury it under the CTO/CIO or a general IT vendor.  Better CTOs/CIOs work hard to mitigate the conflict of interest this presents... but it's still there.  The executive (or vendor) charged with more/faster/better technology shouldn’t be the gatekeeper of what information about the organization's data and technology-related risks reaches business leadership.


Ideally, the CISO should be an equal peer to the CTO/CIO.  In some smaller organizations, this is not possible.  In those cases, placing cybersecurity under another risk-limiting executive may work.  Consider your CFO, or General Counsel if that person is part of your executive team, as a potential reporting line for your CISO.  Or, get a virtual CISO -- a professional CISO shared by multiple organizations -- through a trusted partner.  This trusted partner should not be your cyber insurance or major IT vendor, as those present their own conflicts of interest.


Start By Getting Your House In Order

There's a lot of temptation to jump quickly into the flashiest cybersecurity approaches making the news.  However, if the basics aren't in place, those high-end devices and services won't help you.  Penetration tests won’t help you, because they become a very expensive way to get a 100-page report on basic cybersecurity hygiene.


Good cybersecurity is decidedly not sexy.  It begins with understanding the organization's mission, risks, and technology.  Next come policy decisions, baseline controls, and the steady hum of cybersecurity operations.


Evolve Your Cybersecurity

Once the basics are in place, then it’s time to iterate.  Just as threats are always evolving, defenses against those threats must evolve over time, too.  Done right, your cybersecurity improves incrementally over time as any part of your organization should.  


Get the Help You Need

<insert Stoic plug here>


bottom of page