Adam Hansen is that rare bird in the small to midsize business (SMB) realm: He is a CSO. Hansen heads up security for Sonnenschein, Nath and Rosenthal, an 800-attorney law firm in Chicago.
Granted, Hansen's employer sits on the higher end of the SMB size spectrum, but it is still relatively uncommon for companies with revenues under $500 million to have a person devoted to security. Hansen is rarer yet in that he leads a staff of six security professionals, who handle all aspects of physical and information security for the firm, which has 16 offices. "I've been lucky here," he says. Many companies of comparable size don't have anyone who takes a global view of security.
More great tips for smaller companies
- 2011: Small company takes on big PCI challenge
- 2007: 3 companies that fought back
- 2011: New FCC tool helps SMBs plan for cyberattack
When it comes to information security, most IT people at SMBs tend to be generalists rather than specialists like the ones at Sonnenschein. "They put in a new disk farm yesterday, today they're doing a website, tomorrow they will do something with security," says Darrell Rodenbaugh, senior VP of the midmarket segment for McAfee Security, a security software vendor in Santa Clara, Calif.
McAfee surveys its vast SMB user population frequently to discern their security practices and habits. "Most spend less than an hour a week proactively managing security," says Rodenbaugh. According to the most recent McAfee survey, most SMB respondents did not believe they are a likely target of cybercrime. "They don't think they are well enough known, but nothing could be further from the truth."