Discussions on appropriate Information Security for SME's
There is increasing pressure building from legislation (for example Data Protection in the UK/EU) and industry Regulations (for example Payment Card Industry - Data Security Standard abbreviated as PCI-DSS) to affect Small and Medium Enterprises (SME's) that previously only really concerned larger enterprises. SME's have been both largely disinterested in Information Security Management (ISM) and ill-equipped to do much about it through a lack of motivation up to the present time, and Information and Communications Technology (ICT) not being mission critical for their existence and competitiveness. This is changing quickly and given the importance of SME's to the UK economy and their increasing reliance on Information Technology (IT) it is vitally important for the UK business world to enable SME's to do the Information Security (Infosec) they need as efficiently and effectively as possible.
In a previous career I was largely "Big Enterprise" focused and dealing with the kind of organizations that had some ISM focus and resource. On occasion I gained a remote view of some of the Information Security challenges with some interaction with SME's but mostly with their IT suppliers and I was struck by the enormous differences in "average" capability between the two camps.
Recently, organizations like the Information Commissioners Office (ICO), the Information Security Awareness Forum (ISAF) and the Information System Security Association (ISSA) have started to turn more of their attention to the ISM deficit in SME's.
The Information Security ("infosec") profession has "cut its teeth" on military and large enterprise infosec challenges. SME's (probably closely followed by "home users" / consumers) are the next "frontier", and we need to identify what we can use and reuse profitably from the large enterprise infosec experience without reproducing too many of the (sometimes expensive) mistakes made and identify what needs to be built from scratch due to the different SME perspective and changing environment.
I have made a personal start by choosing to research the topic area as part of my MSc project thesis (studying full time for an MSc in Information Security at Royal Holloway University of London). One of the aspects I am looking into is how we can leverage the lessons of ISO9001 and ISO27000 series of standards, CobIT and ITIL, and more recently the Information Security Management maturity Model (ISM3) to develop something appropriate for the SME community in general.
Also as part of this study, I have created an online survey for SME's to try to get a better perspective on the wide ranging variability in requirements across the UK SME community. For example, one of the aims of this survey is to try to gauge just how SME's who perceive the need would like to receive their help to deal with Infosec requirements, and if they don't perceive the need, why don't they?
Can I please encourage everyone reading this article to direct SME's they know or encounter to have a go at the survey - see the attached link below.
The survey should not take more than 20-25 minutes if the answers are to hand, and those who complete it can be entered in a draw to win an Amazon gift voucher. A small number of respondents are encouraged to volunteer for a follow up interview (face to face or over the telephone) lasting maybe 30 minutes and they may qualify for 1 or 2 days FREE Information Security management consulting!
Of course, all information collected in the survey will remain anonymous and only be published in my thesis in aggregated form. All respondent will receive a copy of the final thesis if they wish.
Here's the link to the survey - many thanks in advance!
Allan Wall, CISSP, A.Inst.ISP