Sunday, January 17, 2016

Thinking about security for your small/medium business? Start with training

Do you remember the old saying, "Running a small/medium business is hard, running a secure one even more so?"  Not ringing a bell?  Well that is probably because I just made that up. 

The truth is, running a business is difficult. Lacking the ability to take on overhead for specialized positions in IT, security is generally not even thought of at all during business decisions. Because of this, small/medium business (SMB) are generally at the mercy of their vendors.  And, as Bruce Schneier put it, security is a lemons market, putting many SMBs at a disadvantage against skilled snake oil salesman. 

The problem is further shown when you investigate MBA programs at leading institutions. The core areas of an MBA generally fall into these categories: 

1) Finance and Accounting 
2) People and Organizations 
3) Supply Chain and Business Analysis 
4) Management 

While these courses are filled with useful information, none of it centers around cyber security. While this is slowly changing in the marketplace (http://www.businessbecause.com/news/business-finance-masters/3689/why-elite-b-schools-teach-mbas-cyber-security) most of the courses are still being segmented off into off-core topics. 

When you boil it down, security is the management of risk. The management of risk of your assets. Depending on your business, this could be your people, your processes, or your technology. Similar to how courses are taught on leadership, and building the right people to run your business, courses should be taken to learn about security and learn how to build the right capabilities to protect your business. 

The second question to answer here is, what training should owners of SMB take? After all, time needs to be divided between this topic and others. Further, the right level of knowledge needs to be achieved. Security is a rat hole, and you don't want to dive too deep. 

So, what are my recommendations?

1)  Start with government resources 
There are some good government resources on cyber security that have emerged over the past few years. Read them and digest what you can.  Consider them extremely short crash courses. 


2) Learn about your role in the security process 
As owners of SMB, you are responsible for the protection of assets. As not all assets can be protected equally, and you are responsible for making the tough decisions about how much to spend to protect what. 

  • Business Continuity 
    • You are responsible for defining the parameters, standards and guidelines 
  • Data Owner 
    • All the data created as part of operations is yours, protect what needs to be protected. 
  • Information Security Officer 
    • You are responsible for defining how information in your organization is protected 
  • Compliance Officer 
    • You are responsible for defining how your organization complies with various policies (federal, local, etc) 

3)  Read about various compliance regulations 
There is a great deal of overlap in various compliance regulations. Having a read through some of them will give you ideas of areas of your business that you should be concerned about. 

Check out PIPEDA / HIPAA / PCI 

Yes, the above short list may seem quite daunting, but these are concepts that every SMB should be aware of and actively targeting.  Do you know of any other good resources to help SMBs get started with security?