Industry Insights with J. Wolfgang Goerlich

Smaller Can Be Better: Where SMBs Excel at Security

Cisco Study Reveals Areas Where SMBs Outrank Large Organizations
Smaller Can Be Better: Where SMBs Excel at Security

Being a large organization isn't necessarily better when it comes to security. There are areas in which small and midsize businesses achieve stronger outcomes.

See Also: Ransomware Demystified: What Security Analysts Need to Know

Cisco recently released the 2021 Security Outcomes Study - Small and Midsize Business (SMB) Edition, which revealed a number of somewhat surprising findings about SMBs and how they compare to their larger counterparts.

The report found that 44% of SMBs reported that their security efforts are successfully keeping up with the business, which is higher than what was reported by large enterprise organizations. SMBs were also better at managing risk and are increasingly making gains at operating efficiency.

This all makes sense when you consider that SMBs are more constrained in terms of resources than large organizations. Therefore, SMBs aggressively make the most out of what they have. The strong results for SMBs could also be a reflection of their flatter organizational structure, in which there are fewer degrees of separation between business and IT leaders.

The data in this report shows how the relationships that are formed in small and midsize organizations can be leveraged to drive security outcomes.

Resilience Is Key to Improving Security Outcomes

Good security deters the adversary without deterring the workforce. To get to that point, it's essential to understand what people in the organization are doing to get the work done.

One winning strategy that security leaders and security teams in SMBs are applying is using resilience to build the business case for security. Resilience starts with asking: What does the technology mean to the business? What is this piece of equipment or that person doing to enable the organization to meet its goals? How much money would we lose if a service isn't available? By answering these questions, a security leader can drive a number of security outcomes with continuity, recovery and response initiatives.

The study found that continuity and recovery have emerged as primary factors in SMB security success, which is especially critical now as business resiliency is more important than ever before. Across 25 different security practices evaluated in the study, prompt disaster recovery capabilities surfaced as the biggest differentiator of success between SMBs and large organizations. Organizations with rapid disaster recovery capabilities reported having a better overall security culture and greater executive confidence.

A core element of resilience is incident response, which is another area where SMBs score well. While preventing bad things from happening is always a good idea, incident response is about minimizing the impact of security incidents when they do occur. According to the study, in small organizations, incident response capabilities yield the highest correlation with successfully managing security risks.

Often security is thought of as being about a single tool or technology that can solve a given problem. But resilience does not come from buying any one thing. It comes from having the ability to manage data risks, maintain efficient and appropriate security controls and implement incident response plans quickly.

The Value of Metrics for SMBs

While SMBs might be doing solid security work, their employees lack the time and resources to create large reports that track every minute detail of IT operations. Large organizations often have more metrics and security dashboards for tracking their security initiatives. But although SMBs might not have strong metrics, the data shows they compensate by focusing on the right priorities.

Today I would encourage the small business that does not yet have good metrics to start down the path of instrumenting some processes and measuring the efficacy of controls. The prioritization and focus that SMB security teams have apply directly to metrics. Select, develop, implement and manage to specific key performance and key risk indicators.

Also, it’s valuable to track exceptions and determine where there is friction in the process. SMBs should evaluate the workforce concerns and make sure that security maintains a balance between preventing risks and enabling the business.

SMBs are making the best of the limited resources that are available to them. It's important that they avoid over-engineering their security programs and continue to focus on the data and the priorities that provide business resilience and enablement.

About the Author

J. Wolfgang Goerlich

J. Wolfgang Goerlich

Advisory CISO, Cisco Secure

J. Wolfgang Goerlich is an Advisory CISO at Cisco Secure. He has than 20 years of experience serving an IT and cybersecurity strategist in healthcare and financial services. Passionate about community, Goerlich co-founded the OWASP Detroit chapter and organizes the annual Converge and BSides Detroit conferences. Wolf regularly discusses a variety of IT and security topics on his popular video blog, “Stuck in Traffic.”

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.