• United States




Approaching cybersecurity as a critical business function

Dec 19, 20175 mins
EnterpriseRisk ManagementSecurity

Taking the right security steps for small and medium-sized businesses (SMBs).

intel cybersecurity bg 1920
Credit: Intel

“I don’t have to worry about hackers, I am a small company. Why would they care about me”? I can’t count the number of times I have heard a version of that statement. I have found that many small and medium-sized businesses (SMBs) don’t see themselves as targets.

I gather that in the digital hurricane that is today’s internet, they imagine themselves as debris that are so small, no one will notice. However, as we have seen in survey after survey, cybercrime is on the rise across all industries and company sizes. Couple this with the expansion of new malware types and the growth of automated hacking tools, it has become cheaper and more accessible for cybercriminals to search for targets of opportunity.

One of the reasons SMBs have more significant exposure to cybercrime is they often lack an understanding of the risks their company faces. Many are constrained by funding and feel security would significantly impact their ability to be profitable. Also, SMBs sometimes lack skilled security staff which can lead to confusion on how to implement cybersecurity controls to meet compliance with their industry regulations. Keeping all of this in mind, SMBs can reduce risk exposure to their critical data and business operations without having to incur significant costs by following these security steps.

1.  Understand the drivers behind cybersecurity investments

To begin, SMBs need to understand why they require cybersecurity and the value these services can bring to their business. Before diving into the risk frameworks, security controls, and best practices that security teams use, SMBs should first understand the drivers behind their cybersecurity requirements.

Hopefully, their main driver is the frequent need to protect their growing business and its critical data, and the need is not due to a recent cyberattack or in reaction to attacks observed on other companies. Whether it is in response to past concerns or a new requirement initiated by customers or business partners, SMBs need to understand these drivers. These identified security drivers will dictate how much risk the business is willing to accept and how many cybersecurity services the company is willing to implement.

2. Review your IT portfolio

After the organization understands its needs for cybersecurity, there are initial steps that they can then begin to implement to manage their risk exposure. The first step is to review the current information technology (IT) portfolio. It is an inventory of the existing IT environment including hardware, software, network infrastructure, staff skill sets, third-party connections, remote workers or contractors, etc. The reason for this first step is to provide insight into the current technical environment so management understands the technologies in use, the business data that is critical, and the connections to partners and organizations outside the company. By the end of this step, the SMB should understand its IT environment’s current state and have gained some insight into its inherent risks.

3. Conduct a risk assessment

The next step is for the SMB to envision their future state and to do this correctly, I suggest conducting a risk assessment. This assessment will provide them a baseline of what current security controls are working properly, controls that are immature and need remediation, and controls that don’t apply to existing business operations. The results of this assessment will provide a more in-depth view of the risks facing the business. This new risk picture will initiate discussions into business practices that need to be updated, new security technologies to be implemented and/or security services they can contract with a trusted partner.

Getting a distinct picture of risk will establish the SMB’s “risk appetite.” It creates a methodology of how they will view future business efforts about technology and address any new risk requirements. Having this process in place allows an SMB to grow and be innovative with new technologies because they have a procedure to manage risk without it impacting their ability to be profitable.

4. Develop a strategic cybersecurity improvement plan

As mentioned previously, in establishing a risk baseline, the SMB identified business processes that need updating and security controls that were immature. These issues are a ready-made list for the business to develop a strategic plan for implementing cybersecurity. The SMB should rank these problems in priority based on the impact to business operations, their value to business stakeholders, any compliance or regulatory requirements and finally based on current funding. The development of a cybersecurity strategic improvement plan can be accomplished in parallel with the organization establishing it’s first security program and hiring their first security staff. Having this strategic plan will enable the new business’s security team to understand what security initiatives to complete first, the value the projects bring to the company, the risks that are being addressed and ongoing security controls that must be managed.

There’s no denying that the number of breaches and attacks on the SMB community is growing. I believe in addressing their escalating risks, SMBs must be proactive and manage their risk exposure through doing basic cybersecurity hygiene correctly and continuously, and the steps I have provided should help them begin this process. Furthermore, some recommended resources that can assist SMBs in developing a security strategy are:

Remember, cybersecurity is a lifecycle that doesn’t provide value in a vacuum. For the SMB to be effective, it must approach cybersecurity as a critical business function and not be afraid to ask for assistance from the vibrant security community.


As Chief Information Security Officer (CISO), Gary Hayslip guides Webroot’s information security program, providing enterprise risk management. He is responsible for the development and implementation of all information security strategies, including the company’s security standards, procedures, and internal controls. Gary also contributes to product strategy, helping to guide the efficacy of Webroot’s security solutions portfolio.

As CISO, his mission includes creating a “risk aware” culture that places high value on securing and protecting customer information entrusted to Webroot. Gary has a record of establishing enterprise information security programs and managing multiple cross-functional network and security teams. Gary is co-author of “CISO Desk Reference Guide: A Practical Guide for CISOs” focused on enabling CISOs to expand their expertise and scope of knowledge.

Gary’s previous information security roles include CISO, Deputy Director of IT and senior network architect roles for the City of San Diego, the U.S. Navy (Active Duty) and as a U.S. Federal Government employee. In these positions he built security programs from the ground up, audited large disparate networks and consolidated and legacy network infrastructure into converged virtualized data centers.

Gary is involved in the cybersecurity and technology start-up communities in San Diego where he is the co-chairman for Cybertech, the parent organization that houses the cyber incubator Cyberhive and the Internet of Things (IoT) incubator iHive. He also serves as a member of the EvoNexus Selection Committee where he is instrumental in reviewing and mentoring cybersecurity and IoT startups. Gary is an active member of the professional organizations ISSA, ISACA, OWASP, and is on the Board of Directors for InfraGuard. Gary holds numerous professional certifications including: CISSP, CISA and CRISC, and holds a Bachelor of Science in Information Systems Management and a Master’s degree in Business Administration. Gary has more than 28 years of experience in information security, enterprise risk management and data privacy.

The opinions expressed in this blog are those of Gary Hayslip and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author