Small businesses create two-thirds of net new jobs and drive innovation and competitiveness that produces 44 percent of U.S. economic activity (SBA Office of Advocacy, 2019). According to the 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, however, nearly 9 in 10 (88%) of U.S. respondents indicated they spend less than 20% of their overall IT budget on security. The same report found that nearly 70 percent of SMBs experienced cyberattacks. These findings highlight two misconceptions that lead organizations to prioritize their security investments incorrectly.
Some organizations believe spending more will improve security and reduce their susceptibility to attacks. Throwing money at the problem might increase security, but not necessarily. The goal should be to invest properly in people, processes, and technology that will help reduce and manage risk at an acceptable level. Security spending will not prevent a breach, but spending the bare minimum (or nothing at all) increases the likelihood that controls and procedures to contain the breach and provide remediation will be ineffective or won't exist.
Other organizations believe that prioritizing compliance will make them more secure. These organizations design their corporate security programs to make regulatory compliance the highest priority. Security concerns above and beyond compliance fail to compete with other business priorities that demand the attention and resources of the organization. The number of “compliant” organizations suffering from data breaches in the past few years reinforces the problem with making compliance the highest priority. More organizations should adopt the perspective that “compliance is the residue of good security,” which Malcolm Harkins and others have argued consistently for years. Again, investing in and prioritizing security will not prevent a breach. The right investment and prioritization will improve the response and reduce the impact of a breach when it occurs.
I used to think that the CISO was one of the most underappreciated and misunderstood leadership roles in business because the CISO is challenged to succeed in a position of limited influence with an operating budget that is determined by someone else. After years as a business owner, I now recognize that the grass is not greener on the other side. CEOs and other business leaders face even more pressure to deliver results. There is more pressure to succeed and more people are affected by the wisdom and the decisions made at this level. SMB CEOs face even pressure because they have so many corporate responsibilities. The difference between success and failure rests on the SMB CEO's shoulders. In addition to running the business, the SMB CEO also serves as the CFO, CMO, CIO, and CISO.
Security is rarely the top concern within the scope of all risks facing an organization. Even in a security services company like CLASS-LLC, sustaining and growing revenue by serving existing customers and finding new ones are our highest priorities. Security is important, but it is often lower on the list of the most important concerns facing the business. This is true in both large companies that have mature enterprise risk management (ERM) programs and in small companies that have 10 employees or less.
How should organizations balance investing in security people, processes, and technology to protect operations against sustaining and expanding operations to generate the revenue required for security investments? There is no easy answer; it truly is a balancing act. Ideally, security should become so integrated into the fabric of the organization that business decisions are security decisions. Then, as organizations develop strategies for addressing business pressures and growth, they will also consider the security requirements associated with executing their business strategies successfully. This will produce much better outcomes than throwing money at the security problem aimlessly or complying with every regulatory framework facing the business.
I’d love to hear your thoughts. Please join the discussion on LinkedIn.