Correct Your Posture: Information Security Essentials for Budget-Minded Businesses — Part 2 of 2

Part 1 of our information security article focused on defining and discussing the importance of a proper security posture for small and medium sized businesses. Now let’s review the potential costs of doing so.

Is infosec possible for budget-minded businesses?
If hiring a full-time chief information security officer (CISO) or information security analyst is too expensive, and employees don’t have the time or knowledge to handle infosec themselves, what are SMBs to do? Some mistakenly believe that moving their IT operations to a public cloud provider like AWS or Microsoft Azure will take security problems off their plate. This is because many cloud hosting providers have some security and compliance features built in. But are they enough to fully satisfy the standards of actual clients?

Cloud hosting solutions give customers some basic backend security at the level of the technology itself, according to Michael Munoz, product manager at CMHWorks. “But you still have to have policies and procedures to dictate how you manage items such as employee access to IT systems and physical access to the building for both visitors and staff. Do they have company issued laptops and equipment? Are logins two-factor authenticated? Do you control the software and devices that employees get to connect to their machines?” Munoz said.

Those questions come under the purview of an overarching security policy, which isn’t just about technology. It is, to a large degree, about expertise — knowing exactly what a company’s infosec priorities should be, how to implement practices that serve them and when it might be necessary to alter practices based on its industry sector and its clients’ demands. For example, when a client or governing body requests a security audit, a company may need to show policies and procedures on access control requirements, disaster recovery and more, according to Munoz. “There’s a whole slew of other documents that typically get requested whenever somebody’s asking for a security audit that most companies haven’t done or don’t have the time to do or don’t understand how to do,” he said.

Some may opt to have their existing staff trained in infosec to bring some skills in house for less than the cost of a new hire. And there are indeed plenty of graduate and certification programs in infosec available. However, companies will have to ask how much training is enough, and at what point it might become too much? After all, once your developer is elbows-deep in infosec tasks each day, won’t you need to hire another developer? Better yet, the employee you invested to train is now a valuable asset to you and others. Can you afford to keep them?

The third and most promising option — at least for budget-minded companies — is to outsource infosec services to a provider that can offer them on an as-needed basis without demanding a full-time salary. Sometimes referred to as ISaaS (Information Security as a Service), this can save SMBs a lot of money, ensure their infosec policies and practices are up to par and put them on equal footing, compliance-wise, with their larger competitors.

Outsourcing infosec the right way
What should companies look for when searching for an infosec outsourcing provider? A lot more than just technology, according to Munoz. Information security requires expertise — a person or persons to help define your infosec priorities, design a full security policy around them, educate your staff on different practices and procedures, draft documents and recommend updates when necessary.

Here are four key services an infosec outsourcer should provide:

1. An initial audit. The provider should help you establish and document infosec policies and procedures, including but not limited to: disaster recovery; access control; email security; incident response; business continuity plan; change management. The provider should also make sure employees understand all policies and promise to adhere to them in writing.

2. Some form of adequate infosec training to employees on such topics as HIPAA compliance, PII (personally identifiable information), GDPR, etc.

3. Technical assistance, including guidance on the implementation of cybersecurity tools and postures as well as the generation of penetration tests, etc.

4. Last, but certainly not least, the provider should offer an on-call virtual CISO to be present in situations where a live expert is needed. This person might, for example, sit in on phone calls with clients to answer questions and drive the conversation. This person essentially acts as the company’s information security specialist and is responsible for all requested documents and survey/questionnaire completion.

Outsourcing to a provider who skillfully performs the above duties can keep a company compliant and safe from the threat of security breaches, staggering fines and penalties and infosec illiteracy that might shackle lucrative data-analytics initiatives. It makes it possible for SMBs to satisfy the increasing security demands of large, heavily vied for clients for much less than the cost of hiring a single full-time infosec analyst or CISO.

At CMHWorks, we offer these and additional services to enable our clients to comply with growing infosec demands. Contact us today to learn more about how we can help your organization prepare for its next security audit.