Should there be legislation designed to create better cybersecurity regulations for small- and medium-sized businesses (SMBs/SMEs)?

Governance, Risk & ComplianceSecurity & GRCRisk Management
1.4k views1 Upvote5 Comments
Head of Enterprise & Solution Architecture, 1,001 - 5,000 employees
We have financial audits that happen quarterly, as well as annual ones, so maybe we should have something similar in the data security space. There should be at least a minimum requirement that a company has to meet to store data, especially personal data.
2
CISO in Software, 51 - 200 employees
This country is built on small business. What do we do with all these small businesses that have no knowledge of IT? Is there some mandate that you have to hire a small business consultant to set up your computers? I don't know how far we can take it. They certainly do that for government agencies. The ransomware committee—or whatever they're calling it—is doing SBOMs, and setting all these criteria. If you want to be a government contractor or if you're in government, you have to follow all these guidelines.
2 2 Replies
VP, IT and Operations in Software, 1,001 - 5,000 employees

I think that's a great idea. You could divide things by the type of business you register. If you are a company that does taxation, you handle very sensitive data. I think you need a different layer, where you have to meet certain criteria but they have to be relevant to the kind of business you are in. So even if you're a small business, if you're focused on sensitive personal data, then you should have to get a certification every six months to be in business. It's similar to the way we've had mask wearing enforced during COVID. Cybersecurity measures have to be enforced, otherwise it's very hard for companies to inculcate those things into their operations. Obviously it will involve more costs, but that cost could be translated to the service they're providing. For example, maybe I have to pay my tax accountant a little more than what I pay today, but at least I am assured that my data is secure.

2
CISO in Software, 51 - 200 employees

It could even apply to restaurants. Because they're supposed to be PCI compliant with their credit card processing, but when I see the screensaver on the point of sale machine (POS), it's Windows XP embedded. I don't know if that's safe or not.

Group CIO in Manufacturing, 1,001 - 5,000 employees
Excellent idea. I would recommend that there can be a Cyber Security resilience committee comprising of security vendors to which companies can hook to get cyber resilience as a standard. Imagine we fighting it together and coordinated and any new organisation can hook into the framework.  There could be various levels of security posture that can be defined based on industries and companies have the option to choose from. With SIEM, DLP, endPoint security etc going cloud this is very much a possibility.
2

Content you might like

Have you patched Log4j yet?

Threat & Vulnerability ManagementThird Party Risk Management (TPRM)Risk Management

Yes39%

Yes, but third & Nth parties are still a concern39%

Mostly16%

No4%

Don't know1%


184 PARTICIPANTS
1.3k views

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
601 views1 Comment

How soon do your new employees get security awareness training?

Awareness & TrainingRisk ManagementSecurity Strategy & Roadmap

First day on the job10%

Sometime during their first week52%

Sometime during their first month26%

2-3 months after their hiring date6%

It depends on their role/level3%

Other (explain in the comments section)1%


299 PARTICIPANTS
1.2k views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
143 19 Replies
Read More Comments
47k views133 Upvotes324 Comments

CISOs: What’s your typical role in M&A? When are you brought in (and how does that compare to when you’d like to be brought in)?

Process ManagementRisk ManagementSecurity Strategy & Roadmap
456 views1 Comment