Home » Security Bloggers Network » Do SMBs Need a CISO?

Do SMBs Need a CISO?

by Adam Mansour on May 2, 2019

As part of our “C-Suite Accountability” theme, we explore why holding senior executives accountable is a necessary motivator in the prioritization, development, and adoption of cybersecurity initiatives across the small to medium-sized organization. In this post, our own Virtual CISO discusses the role in SMBs in an effort to remove barriers and highlight its necessity.

When I face objections about the Virtual CISO service from stakeholders at SMBs, it’s usually based on the (perceived) absence of need for the outcomes it drives. Maybe they don’t fully understand what those outcomes are? I also hear a lot of rationalization about why SMBs simply “don’t need me yet” even when they know the outcomes. Objections like these contribute to misinformation in the market and could deter somebody from getting a CISO when they really need one. Read on for the 5 reasons SMBs think they don’t need a CISO, and my rebuttals to each of them, as I defend the tremendous value of a CISO to any organization without one.

First, what outcomes does a CISO drive?

I’ve covered the role and responsibilities of a Virtual CISO before. The outcome it should be driving for you is “regulatory compliance”… which really means understanding where you are vulnerable from an information security perspective, and understanding what the law says you need to have in place to protect the privacy of your clients, partners, employees, and yourselves. Think about all this in the context of the risk of losing your intellectual property, your competitive advantage, or even your ability to operate.

With that context in mind, here are the five reasons that some SMBs incorrectly believe that they don’t need a CISO:

1) I’ll Just Download Something from the Internet…

It has never been easier to access a pile of unqualified opinions about what you “should (Read more...)