Where does a Small Business Start with Cybersecurity – Part I
Where does a small business start with cybersecurity? Cybersecurity is a vital component of any small business strategy. However, it may feel overwhelming if you’re just starting the process of securing your business’s data. This post is the first in a series to help small businesses challenged with securing their organization and services.
Searching through the volumes of information on the Internet, I encountered many suggestions, recommendations, guidelines, and steps on those first steps. While all excellent places to begin, I am going to start with no-cost and foundational recommendations.
Where Does a Small Business Start with Cybersecurity?
Today, we’re going to focus on the importance of establishing a cybersecurity owner for your business. This individual needs to be at the executive level and must be accountable for the business’s cybersecurity.
2. Understand Why a Small Business Needs a Dedicated Cybersecurity Owner
The reasoning is straightforward. Every business is different, and cybersecurity goals, components, tools, and methods needed to secure the business will vary and change as a company matures and evolves. What is needed to secure your business is a unique question to be clarified and answered. Like all nebulous tasks and projects without an owner, nothing will be achieved without an owner who can drive and maintain the program. A singular, accountable owner must be assigned to address and promote this answer for the business.
Designating an executive as the owner is the first fundamental step in resolving the question. Without a clear owner, no security or compliance effort will be taken seriously, and no progress or success realized. Every action and project will be seen as flaying with whack-a-mole responses to incidents and breaches. I explicitly state an Owner must be an executive and not necessarily dedicated cybersecurity professional.
“Securing the business” is not a singular task or project. It is a strategic and tactical process that changes as the business grows and matures. A Non-manager or Individual Contributor will not have the experience nor knowledge to understand the requirements of securing the business. This choice makes as much sense as having an entry-level engineer manage the strategic direction of a critical Development organization. The Owner must have a companywide understanding of the business, goals, organizations, assets, and essential components/data.
For Small and Medium-sized Businesses (SMB), it is very real not to have a designated or dedicated owner for cybersecurity and little to no cyber expertise on staff. A natural progression is to add on or expand the duties/job description of an existing Information Technology (IT) resource to include cybersecurity.
3. A Small Business Can Use Existing IT Personnel to Manage Cybersecurity.
This choice is a well-trodden path filled with missteps and hazards.
Although it seems logical to designate the IT Manager/Director/CIO as the Cybersecurity Owner, they may not have visibility or awareness of non-IT areas across the entire business and organization to understand what, where, and how services need to be secured. Yet, while IT could be a fallback choice, and often is, IT is focused on technology issues, solutions, and remediations which means they do not prioritize non-IT cybersecurity risks and issues.
4. When it Comes to an SMB, Use your CFO as your Initial Cybersecurity “Owner”
I recommend designating your CFO or accounting executive as the Initial Cybersecurity Owner since they know where all the fiscal bodies are buried. Every CFO must know and understand what, where, when, who and how company funding and expenditures are being made and spent. They are familiar with critical assets, risks, compliance, commitments, goals, and business growth. This comprehensive knowledge is vital in the initial creation and establishment of a Cybersecurity program.
It’s important to note I am not suggesting the CFO should or needs to be the final and ongoing owner of cybersecurity but they are the reasonable choice for initial ownership. The CFO has significant “skin in the game” with respect to the success and failures of the company’s cybersecurity program.
Cybersecurity ownership progression may be a rapid and logical transition of ownership from CFO to CIO/CTO to CISO as a business matures the security posture of its resources, requirements, commitments, and challenges.
One of the first steps of this cybersecurity “owner” should be to establish a cybersecurity budget. Below is a link to my budget template to help you get started.
Now that you know the steps to take your small business can get the best start to strong cybersecurity practices. We hope our template is of use and our CRI CyberADVANTAGE is available to provide Advisory and Consulting Services.