Who is it for?

of cybersecurity issues has severe impacts on the business
of companies fear complete closure due to information security attacks
of respondents reported having suffered a security incident in the past 5 years
Why do medium and small businesses need a CISO?

L? ENISA, the cybersecurity body of the European Union, published on 28 June 2021 a field research to understand the main needs and criticalities of small and medium-sized companies (SMEs) in this pandemic period, in order to give indications on the measures to be adopted and the elements to pay particular attention to.

More than 85% of companies surveyed for the research stated that the cybersecurity problems they suffered would have a serious negative impact on their business, while the 57% stated that they could most likely close as a result of such serious incidents.

[...] is rampant in SMEs the false assurance that the security controls included in the IT software and services they have purchased will suffice and that no further security checks will be required on their part, unless required by law.

[...] 36% of respondents reported having suffered a security incident in the last 5 years, 8% of the same respondents said they had suffered a cybersecurity incident since the start of the pandemic crisis; which indicates a sharp increase in accidents during the short period of time since the onset of the crisis.

The challenges that emerge for SMEs are the following:

- poor awareness of IT security among staff;

- inadequate protection of? critical? information;

- lack of adequate budget;

- lack of specialists or adequate skills in cybersecurity;

- lack of adequate guidelines on cybersecurity specific to SMEs;

Frequently asked questions and "myths" about information security 
We are small, we are not a target
Maybe, but that's not always true

The dramatic increase in ransomware attacks such as WannaCry and Petya / NotPetya means that no one is immune to the attacks. Additionally, the growing connection of digital business ecosystems expands and extends business risks, so while your organization may not be a target, your partners may be.

We have nothing anyone would want
Information has value

This could be the case if your organization had no customers, employees, contractors, intellectual property, business processes, and shareholders or stakeholders, but that would also mean there is no business.

We can't afford a CISO, so we'll hire the engineer (or architect, administrator or sysadmin) with security
This is a fallback solution

In theory, this tactical approach could work in the short term, but as a long term approach, there will be too much emphasis on tools and tactics and not enough on people and processes. Engineers, architects and administrators have specific skills and responsibilities for managing technical results. 

In practice, a dedicated and focused role is needed to guide the Information Security program and ensure over time the transition to a more strategic approach, which must be understood and supported by the Company Management.

We are not regulated, so we don't need a CISO
Yes, but no one is immune

Not being regulated does not oblige an organization to include the position of CISO in the workforce: TRUE! However, that doesn't mean it doesn't have risk to manage as part of achieving its business goals.  

Having an Information Security program leader with the governance and strategic vision it brings, improves security and defensibility in case of incidents.