Small And Mid-Size Business Have Security Issues Too

I think that small and mid-size businesses are the most underserved in the information security market today. These companies have not paid the necessary attention to information security, and the data indicates they will pay a steep price for not doing more.

Robert Plant, writing for the Harvard Business Review on June 4, 2013, spoke very plainly and clearly on the need for the CSO in companies today. Mr. Plant in his blog writes:

“First off, if the company doesn't have a CSO and the chief executive thinks the "S" has something to do with sustainability, just fire him. If it does have a CSO and the CEO chooses to eliminate that position, do the same thing, because it's the wrong answer. While you're firing him, inform the CEO that data security is the number one critical need for U.S. corporations today, and that the CSO is kind of like the chairman of the Joint Chiefs of Staff. You wouldn't get rid of the chairman of the joint chiefs in wartime.”[1]

While Mr. Plant is speaking of large corporations, the reality is the CEOs of smaller firms should have the same concerns as large companies when it comes to information security. It may not seem like it, but we are at war — an economic war — and the prize is the intellectual property held by companies large and small. The number of cyber attacks is on the rise and the level of effort being applied by both nation states and cyber criminals is huge. All of us in the security field have heard this before. However, there has been a real challenge in the industry to get information security the role it deserves as a critical component of enterprise risk.

Read more

Deloitte Acquires Vigilant - Harbinger of a Push By Consultancies Into The MSSP World

This week Deloitte announced the acquisition of Vigilant. This is important news for several reasons. With over 14,000 consultants that specialize in information security, Deloitte is the largest and broadest of any security consultancy globally. Deloitte provides customized security solutions across a broad number of vertical industries, including financial services, aerospace, defense, retail, manufacturing, technology, communications, energy and pharmaceuticals. The company's offerings include[i]:

  • Application security — secure coding practices, code review
  • Business continuity/disaster recovery planning
  • Consumerization — iOS, Android, Endpoint Security
  • Regulatory compliance certification, assessment, and audit services (excluding penetration and vulnerability testing)
  • Information security certification, compliance assessment, and audit services (excludes vulnerability and penetration testing, includes SOC 2, and ISO 27001 certification)
  • Data loss prevention
  • Fraud investigation
  • Governance — strategy, design, and implementation
  • Identity and access management
  • Computer emergency response team (CERT) services
  • Information security architecture — strategy, design, and implementation
  • Network security — strategy, design, and implementation
  • Penetration testing (includes cloud, infrastructure, mobile, SCADA, social engineering, and/or wireless)
  • Physical security — strategy, design, and implementation
  • Privacy — strategy, design, and implementation
  • Risk identification and management
  • Security awareness — strategy, design, and implementation
  • Security organization management — strategy, design, and implementation
Read more