Faced with an ever-shifting barrage of cyber-attacks, client demands, compliance requirements, and business objectives, SMBs need strategic cybersecurity guidance just as much as bigger companies. Yet many cannot justify hiring a full-time chief information security officer (CISO).

A focus on cybersecurity tactics without strategic direction can notoriously lead to underperforming technology investments, blind spots in risk management, and misalignment between cybersecurity and business goals. In the absence of a CISO, cybersecurity strategy may be coordinated through the IT department, a managed service provider (MSP/MSSP), a virtual CISO (vCISO), or a group of stakeholders.

If your company does not currently have a point person to drive cybersecurity strategy, is your cybersecurity program helping the business grow? Or setting you up for a data breach?

Considering the five questions below can offer guidance on where you really stand with cybersecurity strategy and direction.

Key takeaways

• Cybersecurity risk assessment is key to strategy.
• Customer needs should be a primary driver for cybersecurity strategy and tactics.
• Developing and sharing the right metrics can help business leaders strategize about cybersecurity investments.
• If you don’t know what sensitive data you have and where it resides, you cannot protect it.
• A best-practice cybersecurity program that can adapt to a volatile and uncertain future is the best defense against novel threats and attacks.

One: Have we clearly defined our company’s cybersecurity risk tolerance? (And are we operating within that?)

Many SMBs don’t fully understand their cybersecurity risks or have a business-centric strategy for countering them. Top reasons for this include:

• Insufficient attention to cybersecurity. Many SMBs lack not only a cybersecurity strategy, but also critical cybersecurity controls like data encryption, multi-factor authentication (MFA), and robust data backups.
• Challenges with quantifying risk. SMBs may know they face significant cyber risks (e.g., vulnerability to ransomware) but have yet to quantify those risks to drive cybersecurity investment plans.
• Lack of resources and expertise. SMBs are often strapped for resources and know-how to invest in cybersecurity, leaving business leaders to “throw up their hands” and put off implementing essential controls.
• A “security through obscurity” view. Despite overwhelming contrary evidence some SMB leaders still believe their business is too small for hackers to target, leading to unexamined and unacceptable cyber risks.

Until you analyze your cybersecurity risks and identify how much risk you are willing to accept versus mitigate, your business cannot develop a strategy to balance cybersecurity investments with operational needs. Some analysis, planning, and expertise is essential to weigh the financial, reputational, and operational consequences of a risk manifesting against the cost of measures to deal with it.

To initiate cyber risk analysis, SMBs first need to:

• Identify their sensitive data and where it resides
• Evaluate the likelihood and impact of current threats manifesting
• Identify current vulnerabilities across their attack surface, including the cloud
• Prioritize identified risks and communicate them in business terms
• Create a risk mitigation roadmap

Ensuring a business has the insight it needs for strategic, risk-based cybersecurity decision-making enables SMBs to balance user productivity, customer care, and cybersecurity and compliance risk exposure. The goal is to make cybersecurity a strategic business enabler that creates value in addition to preserving value.

Two: What do our customers need from us to meet their cybersecurity and compliance requirements?

With about 30% of data breaches now involving vendors or suppliers, your clients are probably more careful than ever about sharing data or providing access. Not only are you responsible for protecting their data, but increasingly you also need to prove you can do so.

Especially if you serve customers in regulated industries, chances are you’re responding to more and more cybersecurity questionnaires. Often these consume significant time and are viewed as a negative.

But these reports can offer multiple insights and benefits:

• They can tell you what cybersecurity capabilities are most important to your customers, to help inform both strategic and tactical cybersecurity priorities.
• They can point out where you need to bolster your cybersecurity controls to align with market demands.
• If you have a strong cybersecurity story for your clients, questionnaire responses can help you tell it—building trust, improving client satisfaction, and supporting contract renewals and other repeat business.
• They can help both you and your clients maintain compliance with key regulations and voluntary frameworks like HIPAA, PCI DSS, NIST 800-171/CMMC, ISO 27001, etc.
• They can help establish openness and accountability between you and your clients, while clarifying “shared responsibility” for cybersecurity.

Tying cybersecurity to client demands can also make a strong case for security investments, where you can potentially tie technology costs directly to revenue.

SMBs should also look beyond questionnaires and drill deeper into client cybersecurity needs. For example, if a questionnaire mandates “HITRUST certification,” what does that really mean? What HITRUST certification level does the client specifically require? You may have more or less work to do depending on the answer.

Three: What are the right metrics to communicate cybersecurity priorities to management? (And how can we collect them?)

Sharing the right metrics is key to communicating cybersecurity priorities and performance to executive leadership. Conventional cybersecurity metrics like mean time to detect, intrusion attempts, and patch management efficiency don’t convey much about cybersecurity’s business value.

How is cybersecurity supporting business objectives? How is cybersecurity building revenue and stakeholder trust? What cybersecurity insights do senior leaders need to guide their decision-making? These are the kinds of metrics and key performance indicators (KPIs) to look for when addressing the C-Suite.

But illustrating cybersecurity ROI is notably difficult. Businesses tend to focus on value preservation factors like minimizing data breach impacts—which are great for the CFO. The value creation and business enablement benefits of cybersecurity investments, such as winning more new customers, meeting current customers’ vendor risk requirements, and reducing cyber liability insurance costs can be harder to quantify.

Some trends to analyze and track for senior management include:

• Cybersecurity performance or Capability Maturity Model Integration (CMMI) level compared with industry peers
• Preparedness level for withstanding a cyber-attack
• Costs associated with cyber incidents
• Regulatory compliance incidents or compliance assessment results
• Reduction in business risk over time
• Results of automated incident response
• Vendor risk management results and insights
• Cyber awareness training test results

Management needs a picture of how cybersecurity fits within the wider business strategy, and how cybersecurity investments support business goals.

Four: Where does all our company’s sensitive data reside, and how are we protecting it?

If you don’t know where your sensitive data is located, how it got there, and where it’s going, there’s no way you can safeguard it. With today’s complex attack surfaces and diverse unstructured data types, hackers can be exfiltrating sensitive data you don’t even know about. You don’t want to find out the hard way that you left important information unprotected.

Other reasons why every SMB needs to know where its data resides include:

• If you don’t know where data resides, you can’t ensure its availability.
• If you don’t know where data resides, you may not know what privacy laws and other regulations apply to it.
• If you don’t know where data resides, you can’t consolidate it for data management efficiency and cost savings.
• If you don’t know where data resides, you can’t leverage it for analytics.
• If you don’t know where data resides, you can’t prioritize IT recovery and business continuity activities.
• If you don’t know where data resides, you can’t demonstrate regulatory compliance.

In short, besides being central to data protection and information security, keeping track of your data is foundational to risk management, business resilience, stakeholder peace of mind, and basic competitiveness.

Five: What’s the next attack that could surprise us? What new threats do we need to prepare for next?

Most SMBs must secure an evolving and expanding attack surface against increasingly sophisticated adversaries capable of launching unforeseen attacks. With hackers wielding deep-fake AI and other powerful new tools, what you don’t know can quickly hurt you in this game.

To prioritize cybersecurity control enhancements, SMBs need to regularly reassess their risks. How is your attack surface changing? What attacks are currently targeting your industry, clients, and/or peers? What incidents are probing your defenses? What does threat intelligence reveal about relevant new exploits?

Data elements like these are starting points for risk assessment and risk treatment. Another overarching question for SMBs to consider is: Do we have a “defense in depth” or “zero trust” cybersecurity posture that can protect the business from unforeseen assaults? Alignment with best practice frameworks like ISO 27001 can help organizations “expect the unexpected” and block assaults that flatten less secure firms.

What’s next?

If you don’t have ready answers to these questions, or you don’t like the answers you find, contact CBIZ Pivot Point Security for a free consultation on how our vCISO/virtual security team service can cost-effectively protect your business from cybersecurity risk.