An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration

Information security threats and their associated breaches are exponentially growing, with millions of records containing personally identified information released to the public each year. Cyber incidents targeting businesses nearly doubled in US past 6 years, with more than 130 large-scale targeted breaches per year in U.S. In the first half of 2020, 36 billion records were exfiltrated by external hackers, with the average cost to recover from a cyber-attack averaging $21.00 per record. While Small and Mid-sized Businesses (SMBs) attempt to stay ahead of this growing trend and protect organizational data, they have specific behaviors that do not affect larger organizations. The four behaviors (non-strategic executive-level sponsorship, apathetic risk management procedures, constrained resources, and non-existent technical skills) are identified in the literature and recognized within the small to midsized industry. If not correctly identified and remediated, these behaviors may impede the businesses from protecting information assets and achieve a mature level of information security governance. To assist organizations in achieving information security governance, the literature identifies five domains that all organizations should possess for organizational alignment and governance maturity. These governance domains are Strategic Alignment, Value Delivery, Risk Management, Performance Measurement, and Resource Management. However, extant literature does not align the five governance domains with the small to midsized business behaviors, nor provide a solution to assist SMBs in achieving information security governance. The literature review focused on four main aspects that are relevant to the study: SMB Characteristics, Virtual Leadership, Information Security Governance, and Information Security program. Previous research identified how similar organizations utilized virtual leadership positions to overcome SMB behaviors to attain organizational business requirements but did not identify virtual positions that can assist SMBs with information security governance. To bridge this gap, this study explored a recent phenomenon, identified as a virtual Chief Information Security Officer (vCISO), that can align the SMB behaviors with the five governance domains and provide a viable solution for SMBs to achieve Information Security Governance within the identified behaviors. Specifically, this qualitative exploratory study interviewed six vCISOs and 14 companies to examine the role the vCISO provided in bridging SMB’s organizational behaviors with the five Information Security Governance domains

Strategies to Reduce Small Business Data Security Breaches

Organizations affected by data security breaches may experience reputational damage and remediation costs. Understanding the data security strategies needed to protect small businesses is vital to safeguard company data and protect consumers’ personal information. Grounded in systems theory, the purpose of this qualitative multiple case study was to explore the strategies small business owners use to reduce data security breaches. The participants were 4 small business owners located in the southern region of the United States: 2 franchise small business owners and 2 nonfranchise small business owners. Data were collected from semistructured interviews and organizational documents. Yin’s 5-step data analysis was used to analyze the data. Two themes emerged: information assurance and third-party dependencies. A key recommendation includes small business owners implementing a contingency plan to manage a data security breach. The implications of positive social change include the potential for small business owners to develop data security strategies to protect their organizations from experiencing a data breach. Protection from data breaches can, in turn, rebuild trust with small business owners and increase spending, increasing the local community’s tax base that may be used to improve social services in the local community