This article was originally published on September 18th, 2018. It has been updated and expanded on.
For years a company's cybersecurity needs were left up to their IT Department. IT was responsible for every decision, every purchase. The C-Suite and its occupants had bigger fish to fry and what little attention InfoSec received, typically dried up before anyone dug in deep at that executive level.
A lot of companies still operate that way. It's unfortunate but true. Especially in the small to medium-sized enterprise space. The executive(s) are just too busy to dive into the issue head first. They have other things that need their immediate attention.
It's no easier for the other side of the coin. IT professionals in smaller organizations typically find themselves stretched incredibly thin. It's hard to focus only on security when countless other tasks keep popping up on their radar.
Currently, cyber attack is the biggest threat to businesses of any size, worldwide. On average, a cyber attack cost enterprises in the United States $1.3 million in 2017 and shows no sign of decreasing (CSO Online: https://www.csoonline.com/article/3227065/security/cyber-attacks-cost-us-enterprises-13-million-on-average-in-2017.html).
To make matters worse, a lot of small to medium-sized enterprise (SME) or small to medium-sized business (SMB) don't have the necessary resources or personnel available to them to help them out of this predicament.
On top of that it's very rare to see an SME or SMB that has corporate officers beyond the Chief Executive Officer and Chief Operating Officer. Trying to find Chief Information Officers (CIO) or Chief Information Security Officers (CISO) at that level of enterprise might be more difficult than finding a needle in a haystack.
Considering how difficult it is to keep highly skilled IT/InfoSec staff in today's market, the severity of the problem multiplies.
According to a recent article from Information Security Magazine, the Global IT security skills shortages have now surpassed four million needed IT/InfoSec professionals. That shortage is only predicted to get worse, leaving SMBs and SMEs in a particularly difficult situation.
The number comes from a recent survey compiled by (ISC)2. That same study says the InfoSec workforce would need to increase by 145% to cope with the growing demand.
Knowing these facts, it only makes sense that cybersecurity is taken very seriously by C-level executives and discussed in the boardroom, regardless of how inconvenient it is to work an InfoSec discussion into a meeting schedule.
Even after you make the time to start openly discussing the cybersecurity health of your business and what it might take to secure it, it's a daunting task actually to put any of those plans in motion or know if they'll work.
It's enough to make your head spin, right?
One of the first things you should probably do is audit your current security set up. You need to ask questions like:
- What products (if any) are we using to protect our end-points?
- Have our Firewalls been updated lately?
- What are we doing about Identity and Access Management?
- Are we following a set of best practices (NIST security framework)
Those are only some of the questions a CEO or COO (again, if you've got one) might be asking themselves once the cybersecurity discussion rears its head during a C-level conversation.
There are some things you can do relatively quickly that'll get the ball rolling.
A great place to start might be with something as easy as a FREE cybersecurity risk scorecard. We offer them personally, and they're a great way to get a quick understanding regarding what might be at risk in your organization. (http://content.security7.net/cybersecurity-risk-scorecard).
Just because you know where the problems are, it's incredibly difficult for many SMEs and SMBs to find the personnel they'd need to bring on to address those issues. That's why many SMBs and SMEs have started to consider bringing on a Managed Security Services Provider (MSSP for short)
A Managed Security Services Provider is an IT/InfoSec professional (or team of IT/InfoSec professionals) that offer security-as-a-service to their clientele.
An MSSP can offer services such as:
- 24x7 Performance and Availability monitoring
- Compliance Management
- Identity and Access Management (IAM)
- InfoSec Services (including cloud, domain, email, end-point and network security services)
- Security Awareness Training
Security7 Networks' new Security Advisory Services program expands on those offerings with:
- Compliance Mangement
- Cybersecurity Risk Scorecards
- Gap Analysis
- Leaked Credential Monitoring
- Metrics & Performance Monitoring
- Operationalized Information Security
- Penetration Testing
- Risk Assessment & Management
- Security Awareness Training
- Security Program Development & Implementation (CISv7, CSF, ISO 27001,
NIST SP 800-171, SOC 2)
- Standards & Framework Implementation
- Supplier Security
- Vulnerability Assessment & Management
Once you've answered a few of your security status related questions, there are a few you should ask yourself before engaging an MSSP to help with your InfoSec needs. We compiled a helpful list you can find here: https://www.security7.net/news/7-questions-you-should-ask-before-hiring-an-mssp
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.