Cybersecurity For Small Or New Organizations: "You Cannot Be Serious"

In June 1981, the 95th Wimbledon Championships tournament saw Chris Evert Lloyd -- now going by the name Chris Evert -- win her third, and final, singles championship. She was awarded £19,440. 

That's not what people remember about the '81 Wimbledon Championships.

What they remember is the men's finals where a trash-talking New Yorker (full disclosure: we are ourselves native New Yorkers) who had excelled at the collegiate level while at Stanford, lost at the 1980 Wimbledon Championships, challenged all the calls he didn't like, made a spectacle of himself by being fined for berating umpires and referees, and created "buzz" at one of the ultimate upper-crust staid sporting events, beat the reigning world champion, Bjorn Borg.

(The British tabloids referred to McEnroe as "SuperBrat" and Borg as "Ice Man." For his victory, McEnroe won £21,600.)

John McEnroe's contribution to Western civilization was the line "you cannot be serious." That is a good staring point for a discussion about cybersecurity for small or new organizations, which generally are at the low end of the CISO continuum.

Your goal as a small or new company is growth, and that happens organically by increasing revenue. Profit emerges from revenue by controlling costs. You're dealing with online systems almost immediately, particularly point-of-service payment systems (credit-card swiping), websites, and B2B vendor systems.

In terms of cybersecurity providers, you probably do not have a dedicated cybersecurity employee so you need to do your own systems due diligence: do my partners and vendors have a cybersecurity process in place? what are their policies if there is an incident? how do my systems relate to theirs?

You have to anticipate that you too will need to manage your cybersecurity risk. Remember: cybersecurity is about increasing access for people who should have it and denying access to those who should not have it. When you assess vendors, ask them how they will help you answer these questions:

• Are the right things being protected?
• Is that protection actually happening?
• Is that protection effective?

These questions are important because they help you understand what you value and what cyber-related behavior you are willing to tolerate relative to your values. For example, using the company's systems to engage in online gambling or hang out on questionable websites increases your cybersecurity risk. A reasonable manager should have final say on what is acceptable online behavior when using the company's systems if for no other reason than cybersecurity reflects one of you value propositions as a business. 

If your vendors or employees cannot answer your cybersecurity questions adequately or comply with your rules about systems usage, be like Mac and say "You cannot be serious." Then go out and compete like Chrissie.

Drop a comment in the box about how you have interviewed potential cybersecurity vendors and set up your initial systems.

Ask us how we can work with you to get set up for a successful launch of a cybersecurity program for your business, or to vet your potential vendors.