May 20, 2021
More than ever, cybercriminals are targeting SMBs. Why? Because so many of those SMBs think they’ll never be targeted. Consequently, they see little or no need for robust cybersecurity protection or dedicated professionals that can strategize and oversee the implementation, maintenance and upgrades of that protection. It’s an antiquated and enormously risky mindset that confounds cybersecurity experts. And it’s something that needs to be remedied.
Bringing aboard a CISO (chief information security officer) who is in charge of information and data security is a huge step in the right direction. Even better for businesses with smaller budgets: an offsite virtual CISO (vCISO) whose services are less expensive and oftentimes more comprehensive. In both cases, these cybersecurity professionals must be an integral part of the C-Suite — a constant contributor to and an influence on business decisions rather than closed off in a tech silo.
But that’s putting the cart before the horse. Most companies won’t hire a CISO, let alone give them C-Suite status, unless they’re convinced of the need for one. And when it comes to being convinced, fear-mongering typically backfires. Hypotheticals don’t work well, either. It’s one thing to tell a company that, if it hasn’t already, cybercrime will almost certainly affect their business. Someday. Instead, they need to understand why that’s the case and how the proactive measure of hiring a CISO to oversee security operations is far more effective than simply reacting to trouble down the line.
That’s most effectively done using concrete examples based on (or at least modeled after) actual incidents. In the event of a ransomware attack that cripples a manufacturing operation, for instance, how much will that shutdown cost in lost labor, product output and revenue? How will the attack impact the brand’s reputation? How many current customers will become former customers because they no longer have faith in a manufacturing process that was so easily disrupted? (In the wake of a recent ransomware attack on the Colonial Pipeline, which supplies fuel to the East Coast, a ransom of $5 million was paid to the hackers who shut it down.)
Since just about all business is tech-centric these days — and since many business leaders lack the tech training to comprehend the potentially dire implications of weak security protocols — cybersecurity is often an afterthought that gets short shrifted in business planning and shorted financially come budget time. It makes total sense, then, to have a CISO or vCISO who is in constant communication with key stakeholders. The operative word here is “communication.” CISOs are there to facilitate and expand dialogue, not squelch it. To augment what’s already being done and suggest improvements rather than issue edicts or elbow anyone out. Collaboration is crucial.
“A CISO should be working closely with whoever has the most stake in a company,” says Mindsight cybersecurity expert Mishaal Khan. “In many cases it’s the CEO, but it could also be the CFO as well as a board of directors. And initial conversations need to focus on the potential for profit loss as well as reputational damage.”
Especially in the case of vCISOs, Khan says, it’s vitally important that they find ways to remain an ongoing part of C-Suite conversations. That can be difficult when they’re off-site, but it’s extremely important. Laying out a yearlong plan at the outset, one that includes periodic milestones for cybersecurity enhancements, goes a long way toward achieving this goal. Regular security assessments help, too, as do financial reviews and client check-ins. In one survey by Cybersecurity Ventures, respondents noted that CISOs should also have budget autonomy to do what needs to be done with going through multiple levels of approval.
It’s all part of an ongoing educational process, but one that ultimately pays off big.
“Cybersecurity isn’t just an IT problem, it’s an organization-wide issue that requires executive-level decisions,” Khan says. “That’s why CISOs should be in an executive role.”
Click here to learn more about Mindsight vCISO services, developed to augment the cybersecurity skills gaps that most SMBs are dealing with today. Our vCISO’s deliver comprehensive security strategies with on-demand direction, planning, implementation, and maintenance – extending your network of expertise to help navigate today’s complex and growing threat landscape. You receive the expertise you need at a far more affordable price.
Learn more about Mishaal’s perspective on cybersecurity by requesting a vulnerability scan of your organization’s network environment.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About The Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.