ISACA guides skills-challenged SMBs towards security governance

A new pair of manuals from peak security industry body ISACA is aiming to boost the information-security posture of small and medium-sized businesses (SMBs) by guiding the traditionally resource-challenged companies through the process of implementing a robust governance framework and then building a security framework on top of it.

Based on ISACA's COBIT 5 business governance framework, ISACA's Cybersecurity Guidance for Small and Medium-Sized Enterprises and companion Implementing Cybersecurity Guidance for Small and Medium-Sized Enterprises chart a path for smaller businesses to identify their information-security risks and then implement policies to continually address them.

The guides were developed to address a deficiency in security investment amongst SMBs, where resources are typically limited and developing what ISACA international president Robert Stroud called a “prudent” cybersecurity strategy can be quite difficult.

“Cybercrime and cyber warfare are not restricted to large enterprises,” Stroud said in a statement. “SMEs are being targeted, and stakeholders need to understand that cybersecurity is a constantly evolving process – not an end result.”

That process needs to constantly evolve even in the smallest company – but is often crippled by a lack of upfront concern about security in organisations without the luxury of long-term planning, Stroud recently told CSO Australia.

“We've ended up in this situation through growth and investment, and looking to grow the business, where we often add security at the end,” he explained.

A fundamental change I'm seeing is that security teams are attempting to get involved right up in the project initiation session. If you do that, you can map your security on the way through – and it leads to a less complicated environment in the end.”

Such environments are critical if SMBs are to respond to the security issues that are proving to be increasingly problematic for them. Ransomware, for example, has been particularly crippling for Australian SMBs because its high prevalence and easy infection – all it takes to get hit is one employee to click on the wrong attachment – can immediately lead to high-grade security problems that are not easily resolved.

Previous ISACA research found phishing and malware to be more frequently successful even than hacking attempts.

Read more: Security Watch: Fujitsu launches Security Services practice

That survey also revealed a significant problem due to the lack of qualified cybersecurity experts – something that would be particularly acutely felt in SMBs.

While 82 percent of respondents expect they will be hit with a security attack this year, the survey found, more than half of respondents said that less than one in four job applicants was qualified for their requirements. Fully 35 percent have security-related job openings that they cannot fill.

With 72 percent of today's security professionals struggling to understand the business's security requirement, ISACA's new SMB guides may prove to be a boon for smaller organisations struggling to find staff with formal security-governance qualifications – particularly in Australia, where an ongoing surge in concern about information security has driven security investments to world-leading levels.

“Australia is definitely at the forefront of this new cybersecurity threat profile,” Stroud said. “Everywhere I go, organisations are investing in this domain and talking about it. They're really trying to understand what the threat profile is.”

“Security is an ecosystem, and we all need to be part of the ecosystem to understand how to respond and work together.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Tags cybercrimeISACAcyber warfaresecurity professionalsCSO Australiasecurity governanceISACA research

Show Comments