Larger organizations may have bigger cybersecurity budgets and IT teams, but those aren’t the only paths to building successful security programs. There’s evidence that security teams in small and midsize businesses (SMBs) are doing a better job in enabling the mission of their organizations, according to the Cisco 2021 Security Outcomes Study: Small and Midsize Business Edition.
For example, 44% of SMBs say their security teams are keeping pace with the changing needs and growth of the business, compared with 42% of large enterprises. This may seem like a small difference, but SMBs are achieving it with fewer resources.
“Small and midsize businesses tend to be more agile and have the benefit of fewer degrees of separation between business and IT,” says Wolfgang Goerlich, an advisory CISO at Cisco Secure. “That means security professionals have a direct line to understanding business objectives and can ensure security measures stay in lock-step with growth plans.”
This connection goes both ways. When the business better understands security’s role, that not only increases buy-in for security practices, it also improves risk mitigation.
To that end, the Cisco study identified three areas where small organizations (defined in this study as 50-249 employees) can focus to further their security success: enabling business; managing risk; and operating efficiently.
Three factors contribute to support for the business and achieving security outcomes:
- Sufficient security staff
- A secure development approach
- IT and security collaboration
Each of these components have been shown to increase confidence and buy-in from peers and business executives. For example, the probability for security success in obtaining peer buy-in increases up to 22% when small businesses have sufficient security staff.
“What’s interesting is that we asked about having sufficient, not dedicated staff,” says Goerlich. “Their success—despite having smaller teams—demonstrates that collaborative security personnel can enable the business and achieve desired outcomes.”
Cybersecurity is an ever-shifting landscape. New forms of malware, phishing, and ransomware make it difficult to manage risk. The Cisco study reveals that small organizations have the strongest probability for success when they have a sufficient security budget, and when IT and security work together.
These factors improve their ability to better meet compliance regulations and manage risks.
“Compliance is a top driver for security initiatives, no matter the company size,” says Goerlich. “Although budgets are tight for small organizations, the study demonstrates that with appropriate investments organizations can meet regulations and reduce risk, regardless of size. That’s a data point to take to executive leadership.”
Enterprises large and small are budget conscious and must seek ways to streamline both IT and security. Both small and midsize organizations are finding success when teams understand security and the tie back to the business.
“Being able to draw a line from business objectives to security initiatives helps immensely,” says Goerlich. “That means working together collaboratively to eliminate any areas of inefficiency.”
Another piece of the puzzle is having the right resources for the security job. SMBs don’t need to break the budget to obtain proactive technology solutions.
For example, Cisco provides a wealth of resources specifically geared to small and midsize businesses. It also offers forums for SMB peers to share strategy, as well as gain expert advice.
“Small and midsize organizations have demonstrated successful outcomes. Their size doesn’t hinder their security programs, and in fact provides advantages,” says Goerlich. “To become even more resilient for whatever comes next, these businesses should continue fostering security and business collaboration and using the right tools.”