I think that small and mid-size businesses are the most underserved in the information security market today. These companies have not paid the necessary attention to information security, and the data indicates they will pay a steep price for not doing more.

Robert Plant, writing for the Harvard Business Review on June 4, 2013, spoke very plainly and clearly on the need for the CSO in companies today. Mr. Plant in his blog writes:

“First off, if the company doesn't have a CSO and the chief executive thinks the "S" has something to do with sustainability, just fire him. If it does have a CSO and the CEO chooses to eliminate that position, do the same thing, because it's the wrong answer. While you're firing him, inform the CEO that data security is the number one critical need for U.S. corporations today, and that the CSO is kind of like the chairman of the Joint Chiefs of Staff. You wouldn't get rid of the chairman of the joint chiefs in wartime.”[1]

While Mr. Plant is speaking of large corporations, the reality is the CEOs of smaller firms should have the same concerns as large companies when it comes to information security. It may not seem like it, but we are at war — an economic war — and the prize is the intellectual property held by companies large and small. The number of cyber attacks is on the rise and the level of effort being applied by both nation states and cyber criminals is huge. All of us in the security field have heard this before. However, there has been a real challenge in the industry to get information security the role it deserves as a critical component of enterprise risk.

Small and mid-size businesses are especially at risk. I consult with a lot of companies on the use of managed security services as well as security strategy in general. There are many companies, especially in the small and mid-size ranges, that don’t really have adequate security controls. Standard security controls like network monitoring, intrusion detection and prevention are missing from these companies. Asked if they have ever had a breach, the answer is a surprising and confident “no”. It seems that for some firms ignorance is a defense strategy.

To be fair these organizations may not be able to support a full time CSO. However, just assuming there is no risk could be a big mistake. Small and mid-size businesses do have options. Many managed security firms, as well as security consultants, now offer security strategy and part-time CSO services. Also cloud service providers (CSPs) are now doing a much better job of incorporating security into their IaaS, PaaS, and SaaS offerings.

It’s time for these firms' CEOs to really take a look at themselves and ask what they have at risk — and what would be the impact of an information security breach on their company. They might find the answer is quite a lot.



[1] Source: Plant, R. “Does Your CEO Really Get Data Security?” (2013): (http://blogs.hbr.org/cs/2013/06/does_your_ceo_really_get_data.html