Most businesses today are dependent on their data. Certainly accountants, financial advisors, medical offices, attorneys and most B2B companies are data-centric. But in this age of technology, even many B2C businesses, such as hair dressers and dry cleaners, have computerized systems which track customer contact information and history, preferences, inventory, schedules and accounting information. Businesses that have confidential customer information have either a fiduciary, regulatory or ethical responsibility to keep it safe. Despite their dependence on this data, most small and medium-sized business (SMB) owners don’t know how to protect the information that’s vital to their business. That’s where a certified information security professional can help.

Ask yourself this question … What would happen to your business if all your data were to disappear tomorrow or fall into the hands of a cybercriminal? If this question sends chills up your spine, keep reading.

Your business is at risk

SMBs traditionally underestimate their information security risk. Yet, reality has repeatedly shown that SMBs are even more likely than larger organizations to face information security threats. In the “2017 State of Cybersecurity in Small and Medium-Sized Businesses (SMB)” by the Ponemon Institute published in September 2017, 61% of survey respondents reported a cyber attack and 54% reported a data breach occurred in the past 12 months. These companies spent an average of $1,027,053 because of damage or theft of IT assets. These disruptions to normal operations cost an average of $1,207,965. The longer the time to detection, the greater the cost. The “2017 Cost of a Data Breach Study”, also released by the Ponemon Institute, found that U.S. companies took an average of 206 days to detect a data breach.

These statistics only count the companies that know they’ve been attacked or had a breach.  As John Chamber, former CEO of Cisco, famously said, “[t]here are two types of companies: those that have been hacked, and those who don’t know they have been hacked.” Or, if you prefer former FBI Director Robert Mueller’s variation on this, “[t]here are only two types of companies: Those that have been hacked and those that will be hacked.”  SMBs who think they won’t face information security threats to their business are simply being naïve.

Threats to your business data come from a multitude of sources:

  • Malicious outside bad actors – i.e. cybercriminals
  • Physical intruders – damage and theft
  • Disgruntled employees
  • Careless employees and simple mistakes
  • Poor planning
  • Natural disasters – fire, flood, power surge, etc.
  • Computer hardware failure
  • Software errors
  • Viruses and other malware
  • Accidental disclosure
  • Social engineering

Why cybercriminals attack SMBs

When the police asked a bank robber why he robbed the bank, his reply was simply, “Because that’s where the money is.”  Cybercrime is no different and many SMBs are a treasure trove of data.

Cybercriminals attack for 3 primary reasons:

  • Profit: to steal money or steal data for sale.
  • Information: the primary intention is the inherent value of the information gathered itself, not its resale value. Corporate espionage falls into this category.
  • Disruption: to cause a disruption to the business being attacked.

SMBs are wonderful targets for cybercriminal for several reasons because they:

  • generally underestimate their cyber risk.
  • generally lack the resources, both financial and personnel, to dedicate to addressing information security threats.
  • may not train their employees on how to deal with information security threats.
  • may not have dedicated IT staff, let alone staff who are trained to handle information security.
  • may have big customers. This can give a cybercriminal a back door into the big company’s systems or data.

Why your technical teams should not have oversight for your information security

Whether your IT team is internal, or you have an IT Managed Service Provider (MSP) that handles all IT for your company, they should not oversee your information security. The same is true regarding software development teams – whether internal or external. While these resources will certainly play an important role, they should not be “in charge” of information security for your organization for several reasons:

  • It’s not their core competency. IT teams and MSPs are traditionally focused on providing hardware, software and end-user support. Software developers are experts at building software systems. While many individuals on these teams have stepped up to the plate to fill the cybersecurity expertise gap, many of the attack vectors come from outside the normal IT space. The best defenses to social engineering attacks, for example, do not involve traditional IT defenses.
  • Many of these individuals do not have the depth and breadth of education and experience to fully lead information security at your organization. Information security is a complex, ever-evolving field and it takes a professional dedicated to this practice to keep up with the changes and to understand the cybersecurity landscape. To do this right is a full-time job.
  • Most importantly, IT teams managing information security creates a conflict of interest. Information security professionals are responsible for auditing and ensuring that proper IT controls, policies and procedures are in place and functioning properly. If the IT team is also responsible for information security, you’ve got the classic “fox guarding the hen house” problem. In other words, a person is likely to exploittheinformation or resourcesthattheyhavebeencharged to protect or

What a certified information security professional brings to the table

There are a number of information security certifications available from several certification bodies. They each have their own focus and requirements.  Some certifications are highly technical, some are management focused, and some are a blend. For example, the (ISC)2 organization, an international, nonprofit membership association for information security leaders, offer 10 distinct certifications.  One of these certifications, their Certified Information Systems Security Professional (CISSP) certification is, according to (ISC)2:

“The most-esteemed cybersecurity certification in the world. The CISSP recognizes information security leaders who understand cybersecurity strategy, as well as hands-on implementation. It shows you have the knowledge and experience to design, develop and manage the overall security posture of an organization.”

To achieve a CISSP certification candidates must:

  • Have a minimum of five years of cumulative, paid, full-time work experience in two or more of the eight domains of the CISSP Common Body of Knowledge (CBK).
  • Pass a very comprehensive test demonstrating mastery of the CBK subject matter.
  • Agree to uphold the (ISC)2 Code of Ethics.
  • Be endorsed by someone who already holds the certification.

To remain a member in good standing a CISSP professional must:

  • Pay an annual fee.
  • Earn a minimum of 40 Continuing Professional Education (CPE) credits per year.
  • Abide by the (ISC)2 Code of Ethics.

Another common information security certification is the Certified Information Security Manager (CISM) offered by ISACA. According to ISACA:

“The uniquely management-focused CISM certification promotes international security practices and recognizes the individual who manages, designs, and oversees and assesses an enterprise’s information security.”

To achieve a CISM certification candidates must:

  • Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas.
  • Pass a very comprehensive test demonstrating mastery of the subject matter.
  • Agree to uphold the Code of Professional Ethics.

To remain a member in good standing a CISSP professional must:

  • Pay an annual fee.
  • Complete a minimum of 20 contact hours of CPE annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period.
  • Abide by the ISACA Code of Professional Ethics.

What you’ll notice these certifications have in common is:

  • On-going financial commitment to the certification body.
  • Professional information security-focused, paid, work experience is a prerequisite for the certification.
  • Mastery of the information security knowledge areas covered by the certification as demonstrated by a comprehensive exam.
  • Agreement to uphold a Code of Ethics.
  • Extensive continuing education requirements to stay current on the ever-changing information security landscape.


Despite being wonderful targets for cybercriminals, most SMBs underestimate their information security risk exposure. Threats to SMB data come from a multitude of sources and a holistic approach to countering these threats is needed.  Companies’ IT and software development teams will play an important role but should not be the responsible party for your organization’s overall information security function. Only a certified information security professional has the years of experience and mastery of the threats and remediation tactics to properly lead a holistic approach to this critical business function.  More importantly, there must be a separation of duties – the certified information security professional should set policies and procedures as well as audit against compliance while the IT and software development teams should implement against those policies and procedures. If your organization does not have a certified information security professional on staff, it is in your company’s best interest to either hire one (or more) or outsource to a qualified resource.


About the Author

Jeff Freedman is a senior strategic technology leader with over 30 years of experience in both information technology and software development, specializing in Software-as-a-Service (SaaS) and Information Security.  For the past 17 years, he has held the positions of VP of Technology, CIO & CTO and has been the de facto Chief Information Security Officer (CISO) in these positions as well. Jeff earned an M.S. in Information Technology Leadership from La Salle University and a B.S. in Computer Science from Lock Haven University of Pennsylvania. He is a Certified Information Systems Security Professional (CISSP). He currently runs Triad Information Security, a consulting business focusing on cybersecurity, and can be reached at