ISACA guides skills-challenged SMBs towards security governance

A new pair of manuals from peak security industry body ISACA is aiming to boost the information-security posture of small and medium-sized businesses (SMBs) by guiding the traditionally resource-challenged companies through the process of implementing a robust governance framework and then building a security framework on top of it.

Based on ISACA's COBIT 5 business governance framework, ISACA's Cybersecurity Guidance for Small and Medium-Sized Enterprises and companion Implementing Cybersecurity Guidance for Small and Medium-Sized Enterprises chart a path for smaller businesses to identify their information-security risks and then implement policies to continually address them.

The guides were developed to address a deficiency in security investment amongst SMBs, where resources are typically limited and developing what ISACA international president Robert Stroud called a “prudent” cybersecurity strategy can be quite difficult.

“Cybercrime and cyber warfare are not restricted to large enterprises,” Stroud said in a statement. “SMEs are being targeted, and stakeholders need to understand that cybersecurity is a constantly evolving process – not an end result.”

That process needs to constantly evolve even in the smallest company – but is often crippled by a lack of upfront concern about security in organisations without the luxury of long-term planning, Stroud recently told CSO Australia.

“We've ended up in this situation through growth and investment, and looking to grow the business, where we often add security at the end,” he explained.

A fundamental change I'm seeing is that security teams are attempting to get involved right up in the project initiation session. If you do that, you can map your security on the way through – and it leads to a less complicated environment in the end.”

Such environments are critical if SMBs are to respond to the security issues that are proving to be increasingly problematic for them. Ransomware, for example, has been particularly crippling for Australian SMBs because its high prevalence and easy infection – all it takes to get hit is one employee to click on the wrong attachment – can immediately lead to high-grade security problems that are not easily resolved.

Previous ISACA research found phishing and malware to be more frequently successful even than hacking attempts.

Read more: Security Watch: Fujitsu launches Security Services practice

That survey also revealed a significant problem due to the lack of qualified cybersecurity experts – something that would be particularly acutely felt in SMBs.

While 82 percent of respondents expect they will be hit with a security attack this year, the survey found, more than half of respondents said that less than one in four job applicants was qualified for their requirements. Fully 35 percent have security-related job openings that they cannot fill.

With 72 percent of today's security professionals struggling to understand the business's security requirement, ISACA's new SMB guides may prove to be a boon for smaller organisations struggling to find staff with formal security-governance qualifications – particularly in Australia, where an ongoing surge in concern about information security has driven security investments to world-leading levels.

“Australia is definitely at the forefront of this new cybersecurity threat profile,” Stroud said. “Everywhere I go, organisations are investing in this domain and talking about it. They're really trying to understand what the threat profile is.”

Read more: Security Watch: Blue Coat acquired for US$2.4B

“Security is an ecosystem, and we all need to be part of the ecosystem to understand how to respond and work together.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags security professionalscybersecurityISACA researchISACAcyber warfaresecurity governanceCSO Australiacybercrime

More about CSOEnex TestLabISACA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place