Cybersecurity: No People, No Resources, and No Money. No Problem!
Where does a small business start with cybersecurity? Cybersecurity is a vital component of any small business strategy. However, it may feel overwhelming if you’re just starting the process of securing your company’s data. This post is the first in a series to help small businesses challenged with securing their organization and services.
Searching through the volumes of information on the Internet, I encountered many suggestions, recommendations, guidelines, and steps on those first steps. While all excellent places to begin, I am going to start with no-cost and foundational recommendations.
First Cybersecurity Recommendation: Designate an Owner, if possible a Cybersecurity Executive to establish your Cybersecurity program.
Today, we’re going to focus on the importance of establishing a cybersecurity owner for your business. This individual needs to be at the executive level and must be accountable with cybersecurity solutions for the organization.
Why Does My Business Need a Dedicated Cybersecurity Owner?
The reasoning is straightforward. Every business is different, and cybersecurity goals, components, tools and methods needed to secure the business will vary and change as a company matures and evolves. What is needed to secure your business is a unique question to be clarified and answered. Like all nebulous tasks and projects without an owner, nothing will be achieved without an owner who can drive and maintain the program. A singular, accountable owner must be assigned to address and promote this answer for the business.
Designating an executive as owner is the first fundamental step in resolving the question. Without a clear owner, no security or compliance effort will be taken seriously, and no progress or success realized. Every action and project will be seen as flaying with whack-a-mole responses to incidents and breaches. I explicitly state an Owner must be an executive and not necessarily a dedicated professional with cybersecurity.
“Securing the business” is not a singular task or project. It is a strategic and tactical process which changes as the business grows and matures. A Non-manager or Individual Contributor will not have the experience nor knowledge to understand the requirements of securing the business. This choice makes as much sense as having an entry-level engineer manage the strategic direction of a critical Development organization. The Owner must have a companywide understanding of the business, goals, organizations, assets, and essential components/data.
For Small and Medium-sized Businesses (SMB), it is very real not to have a designated or dedicated owner for cybersecurity and little to no cyber expertise on staff. A natural progression is to add-on or expand the duties/job description of an existing Information Technology (IT) resource to include Cybersecurity.
Can I Use Existing IT Personnel to Manage Cybersecurity?
This choice is a well trodden path filled with missteps and hazards.
Although it seems logical to designate the IT Manager/Director/CIO as the Cybersecurity Owner, they may not have visibility or awareness of non-IT areas across the entire business and organization to understand what, where, and how services need to be secured. Yet, while IT could be a fallback choice, and often is, IT is focused on technology issues, solutions, and remediations which means they do not prioritize non-IT cybersecurity risks and issues.
With Cybersecurity, a Good choice for SMB would be your CFO as your Initial “Owner”
I recommend designating your CFO or accounting executive as the Initial Cybersecurity Owner since they know where all the fiscal bodies are buried. Every CFO must know and understand what, where, when, who and how company funding and expenditures are being made and spent. They are familiar with critical assets, risks, compliance, commitments, goals, and business growth. This comprehensive knowledge is vital in the initial creation and establishment of a Cybersecurity program.
It’s important to note I am not suggesting the CFO should or needs to be the final and ongoing owner of cybersecurity but they are the reasonable choice for initial ownership. The CFO has significant “skin in the game” with respect to the success and failures of where the organization should start with cybersecurity initiatives.
With cybersecurity, ownership progression may be a rapid and logical transition of ownership from CFO to CIO/CTO to CISO as a business matures the security posture of their resources, requirements, commitments, and challenges.
In conclusion, designating the SMB CFO as the Initial Cybersecurity owner is a great choice due to their knowledge of what needs to be protected, how much the company can afford to spend to secure it, and can represent the appropriate level of risks and consequences to the executive team.
One of the first steps of this cybersecurity “owner” should be to establish a cybersecurity budget. Below is a link to my budget template to help you get started as well as another informative blog about The Secret to Good Cyber Security.
We hope our template is of use to help you and your company to determine where to start with cybersecurity. CRI’s Cyber experts are always available to provide Advisory and Consulting Services.