Security is an IT problem.
How many managers, owners, C Level Executives and board members agree with this statement?
More than 50% of small and medium businesses and not-for-profit organisations think that the ICT department is the go-to people when it comes to protecting your business’s crown jewels.
There has been a significant push in the last 5 to 10 years to get SMEs away from this thinking and to think about business risk, compliance, governance and business security.
Yes there is still a significant place for the ICT management of security around technology. They are the ones who have to work with limited resources, doing more and more with less and less, and producing the same level of protection year in and year out.
When it comes to a cyber event, the problem in today’s business world is that not everything can be secured with technology.
At a basic level, there are 6 areas that create a secure business environment, technology and frameworks is one of them. The others are risk management, people and education, policy and governance, resilience and finally continuous improvement.
As you can see, technology is only a small part of the solution.
The normal situation for SMEs and Charities is to think that ICT department knows it all. We have had similar situations ever since computers have become an integral part of the business.
People who “know computers” were called on to fix the business infrastructure simply because of the know computers. So a web designer was asked to fix a printer or a programmer was asked to set up an internet connection. Yes, they could do it but in today’s world it is so much more complicated and complex.
Business security needs to be addressed by someone who knows security. Someone who understands risk! Someone who understands the fundamental security practices required to protect the organisation.
You would never go to an unqualified accountant to do your tax return, or an unqualified electrician to rewire your house, or even an unendorsed mechanic to repair you new BMW.
When it comes to protecting the business, especially from a cyber event, we rely on people who have minimal understanding of what needs to be done to create a secure business environment.