Do Small Organizations Have CISOs?

Rarely — and Here’s Why

Cybersecurity is important for all organizations regardless of size. So is the role of chief information security officer (CISO). Not only is this important position responsible for a company’s entire information security strategy, but it’s also responsible for communicating the importance of such a program to employees and working with leadership teams on program development and implementation. It’s common to find such a position at middle-market and enterprise-level companies, but do small organizations have CISOs?

Unfortunately, it can be difficult for a small organization to be able to find let alone retain a CISO on its leadership or security teams. There are a number of reasons for this. First is the skill set required to become a CISO. A great deal of technical knowledge is needed, but so too is the ability to communicate, lead, develop strategy, and even practice some measure of diplomacy. Candidates with the right combination of technology expertise as well as refined leadership and communication abilities are uncommon.

The second reason why small organizations don’t have CISOs comes down to resources. Because a CISO is a leadership-level position that often requires a decade of experience or more, the average salary for a CISO in the United States stands around $225,000 with some markets even approaching $400,000. This level of compensation is often impossible for smaller organizations. Even if a smaller company were able to secure a CISO at or below the average, it might prove difficult to keep them with such a high demand for the position.

A final reason why small organizations don’t have CISOs is because of the structure and capability of the IT team available to them. A smaller company with a 5–10-person IT team naturally won’t have the same capacity, tooling, or processes as a larger organization with twice or even triple the number of team members and systems. This can make it difficult for a CISO to implement the level of cybersecurity needed to achieve their goals.

Why Small Organizations Should Still Have a CISO

Despite all of these challenges and roadblocks, it’s just as important for smaller organizations to have a CISO as it is for middle-market and enterprise-level organizations. But how can smaller companies attract and retain a CISO to help lead their information security efforts when all of the cards are seemingly stacked against them? We’ll come to that shortly, but for now, let’s consider the key reasons why smaller companies need a CISO regardless of company size.

1. Smaller Companies Are Operating at Bigger Scales

While you might think a larger organization carries more risk of losing company data or customers’ personally identifiable information (PII), the increasing use of cloud services for infrastructure and other key operations areas has made it easier for smaller organizations to operate at an enterprise level. This means they often carry just as much security risk with their services and operations as companies many times their size.

While a larger company may be able to withstand the public backlash and absorb the time and costs associated with remediating a cybersecurity incident, smaller companies might not. A CISO ensures that you have a gameplan in place and that all of your bases are covered.

2. Compliance is Compliance — Regardless of Company Size

For companies in heavily regulated industries, such as healthcare or financial services, it doesn’t matter if you’re a small or large organization. You have to meet certain requirements in order to provide your services and stay on the right side of the law, otherwise, you’ll be subject to significant fines and regulatory action. If you’re a small company competing against a larger institution in home lending, for example, you can be subject to the same financial regulations and compliance requirements as companies 10, 100, or 1,000 times your size.

CISOs have an in-depth understanding of the compliance requirements that different industries must meet in order to avoid penalties. The investment required for a CISO also outweighs many of the fines that can be imposed on your organization in the event of a breach or problem. CISOs will also communicate the importance of compliance and work with your team to create and implement the security strategy needed to meet regulatory requirements.

3. Small Businesses Are the Greater Targets

For many small companies, it’s easy to think that because you’re small, you stand a smaller chance of being targeted by cybercriminals. While it makes sense that a hacker would want to target a larger company (i.e., perceived greater opportunity) for damage and monetary gain, it’s actually small businesses that are more often in the crosshairs. This is because small to midsize businesses (SMBs) are considered low-hanging fruit. According to the National Cyber Security Alliance, 70% of cyberattacks are aimed at SMBs for this exact reason. Cyberattacks are also becoming more advanced, with hackers taking a multi-attack approach that includes everything from phishing attempts to carefully thought-out social engineering attacks.

Part of a CISO’s responsibility is staying abreast of the latest tactics and strategies hackers are using. That, and building and monitoring the necessary infrastructure, policies, and response plans that organizations need to stay safe. With a CISO, your small business can stay ahead of the game, and in the event of an incident, you’ll be better prepared to respond strategically.

4. A CISO is Different from Other Roles

Companies often confuse a CISO with an IT administrator — a more infrastructure-focused position. While this person may have authority over IT equipment, systems, and processes, information security is just part of their overall responsibilities. Because of that, security efforts are thus more diluted and less of a focus for administrators than they are for proper CISOs.

A CISO would partner with an IT administrator as well as other leadership and technology roles to ensure a comprehensive information security program was established, monitored, revised, shared, and measured. A CISO is often compared to external legal counsel. Whether you have a CISO in-house or through a retainer relationship, the CISO provides independent expertise and guidance while also protecting the organization in the event of an incident.

The CISO Solution for Small Businesses

So, do small organizations have CISOs and need them? They absolutely do. But how is your organization supposed to bring one aboard when the resources and structure may not be available? Good news: you don’t need to hire a CISO outright. At Inversion6, we provide third-party CISOs to champion your information security strategy.

You don’t have to worry about compensation limitations, nor do you have to worry about not having the IT infrastructure needed to support the position. Our CISOs partner with your organization at a leadership level to understand your security program, help to build or refine it, and then communicate and manage it on an ongoing basis. Each of our CISOs brings with them years of cybersecurity industry experience with organizations across multiple industries — experience that they can use to keep your business secure.

This provides you with the expertise, strategy, and support of a CISO without having to navigate the many constraints smaller organizations face in hiring one. If your small organization needs a CISO, whether to maintain compliance or to enhance your security strategy, fill out the form below to talk with our team.