Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer I


Most, if not all of the training and certification materials for cybersecurity (eg., CEH, CISSP, CISM, Security+) focus on larger organizations. What about small businesses and individuals? In many ways, the failures to implement information security measures are similar. In many respects the there are similarities between large organizations, small to medium businesses and individuals. The reasons might be, its too expensive, interferes with the business or plans, the attitude that it won't happen to me, its too much work or its too complicated. Failure to implement cyber security for these groups, is like the failure for people to get immunizations. Exploits affecting small businesses or individuals can affect others as well. Access to one infected system in any of these groups can cause an epidemic of exploits. The factor that links these groups together is that all organizations are comprised of individuals all of whom are consumers. In this regard, it was reported (2017 Norton Cyber Security Insights Report Global Results) that cyber crime cost consumers $172B in 2017 and about 3 full work days to deal with the aftermath, with the ultimate effect of loss of productive activities for businesses and individuals. Education and not necessarily technology is a solution. Some organizations take on this responsibility if for nothing else but for compliance with regulations and laws. For individuals not in these groups, there is no formal mechanism for education. In this regard, discussion of the NIST 7621 rev 1, 2016 small business information security framework is absent from the CISSP, CEH, CISM, Security+ certifications (as of this date). Non-technical (and some technical) individuals as well as small businesses using devices to access the internet for personal or business purposes need to informed in a way that is accessible to them.

4 Replies
Advocate I

Having started, operated and eventually sold one small business (two others eventually failed) I can say its certainly a challenge to meet both security and regulatory requirements but it takes bit more discipline for the SMB than say a large+ organization but it is doable if not necessary if one wants to continue being in business.


As far as training or legal landscape is concerned I am not sure how to answer your question but here's a shot at such.


Laws, regulations and compliance give all business whether startup or global conglomerate an even playing field. Though occasionally these rules are relaxed a bit for small and medium sized business, such as the American Affordable Care Act (ACA), these are unfortunately rare. Off the top of my head I cannot really point to any HIPAA or other regulatory statutes carving out exceptions. SARBOX doesn't apply to small business only publicly traded entities so possible to be considered an SME but that would be the exception not the rule.


Security training tailored specifically to SME's does exist but still expensive on the budget and from what I can remember viewing over the years would be watered down or ineffective. Again, its about leveling the playing field for all competitors not giving anyone business an advantage (outside of agility) an advantage. That would be unfair unto itself.


Given that I see no market or need for a SME/B market for a watered down certification set aimed strictly at small business. Where would the value be in such a two-tiered system where you'd be responsible for going back and re-certifying with the full edition of the same exam? What if one changed positions bouncing back and forth between working for a large corporation one year and a small organization the next? Does that person need to go back to coursework because they changed positions or carry both a small and large set of certifications?


As a side note. Using paragraphs to separate thought structure and readability.



Contributor III

Hi, @judoal,


I'm somewhat struggling with your post. What is it that it hopes to achieve, I wonder? If it is simply sharing your bewilderment about the situation that smaller companies struggle to use existing knowledge - well, I can at least nod to most of what you write. Last year I wrote a thesis about the very same thing: the failure of innovative companies (in my case: a volunteer driven IoT network) to use readily available knowledge, standards and best practices.  The lack of sufficient security controls in the IoT world since became a mainstream theme,  though it would be a wild exaggeration to say that it was because of me, as happy as I would have been to have caused such a stir 😛


Indeed, education may be a solution. But - whom will educate whom? (ISC)² tries to do at least something with our special programs for seniors and school children (e.g. Safe and Secure On-line). Is your message, perhaps, that we should start a new initiative to help these small business?


Or, perhaps, do you merely want to underline the importance of  including the NIST 7621 rev 1, 2016 small business information security framework into the CISSP or other (ISC)²  curriculum?


As it is now, and as @Beads also pointed out, it is hard to find the intended meaning of your post. Perhaps you can elaborate a bit?


Heinrich W. Klöpping, MSc CISSP CCSP CIPP/E CTT+
Newcomer I

Thanks for your responses.  After I gave my presentation to a small group at a local library and talking with other people as well as my own experiences from before getting involved with cyber security, I realized that individuals in and out of organizations, need more education regarding the use of the internet. We go through training to learn how to drive a car for example. The training includes how to operate the vehicle as well as safe practices.  However, people get computers, learn a little about how to operate it and then jump on the internet without regard to safe practices. Like unsafe drivers on the road, unsafe internet practices can affect many other people.  Perhaps this is a naive or simplistic approach, but it does represent a real problem.  While I don't have years of experience in this business, from what I've read, many exploits are due to people and not technology.  My post was just my musings over this as I wonder about how to make a contribution, other than getting out there and talking with individuals and groups.   


At the very least, people should have some tools and heads-up about what they are doing when connected to the internet.  Most/many do not know where to start given the recurring threats.


Anyway, thanks for the feedback




Newcomer III



I think I understand where you coming from. Not everyone is from a massive PLC. Data breach is a data breach. Security is everyone's responsibility at some level. I'm from the UK, we have a wonderful baseline aimed at ensuring small businesses have a secure cyber posture.  It's not quite ISO 27001, but it has elements of the Common Criteria and other common sense elements. More important it is aimed specifically at smaller businesses.


The scheme is called Cyber Essentials.  Naturally, with any scheme and certification body, there are training course and providers.  The UK also made it a requirement to tender for any UK public bodywork.  So helping drive adoption of this "basic" level of assurance at the small-medium companies.

Hope this helps,