Something that bugs me immensely in the quest for privacy and information security, is the vast chasm of disconnect between big corporate / enterprise and niche software companies when it comes to data protection. It’s something I tend to notice more and more in that I mostly deal with software companies, start-ups, and managed service providers.
A few weeks ago, I was on a panel discussion with a divisional CISO for a large telecommunications company. The panel was aimed at small business, and it was brought up that small businesses should have a separate privacy office and a red/blue security team. This is not bad advice, in fact it is very good in terms of security, independence, and segregation of duty (SOD), but in the context of a small business it is wholly impractical and disconnected from reality.
“Required” for Enterprise is often “Impossible” (and unnecessary) for SMMEs
Small businesses, particularly software companies, have the ability to seriously bat above their weight. What I mean by that is that an online, tech-ready small business is agile in nature, lean in staff, and generally spend their time hiring top-performers to ensure that they do not overspend.
With a VERY small staff complement (often under 60 people), a software company can provide mission-critical tools to a huge enterprise of tens of thousands of employees. The trouble is, the enterprise client often (always) treats the SMME as though it has the same staff size and the same requirements as the enterprise. This is simply not the case.
For a small business to be required to be ISO27001, ISO27017, or SOC2 certified is, in many cases, unattainable. The cost of certification often outweighs the sale, particularly for a start-up. Another challenge in this is trying to implement a rigorous control mechanism and Information Security Management System (ISMS) on the lean operations of a small dev house.
Sure, when there is budget to do so, the standards are good to have (when they are adhered to, I often see small software companies adhere to controls during audit time while disregarding them the rest of the time). But, there are other practical ways for small businesses to stay secure while not being ISO or similarly certified, and enterprises can go a long way in modifying their attestations (those horrible 70-page security documents) to help with this. I recently dealt with a company that had an online form for their attestation, and one could not continue if you could not upload a SOC2 or ISO27001 certificate. Short-sighted at best, this held up an entire rollout.
There should be mutual assistance
Instead, enterprises should have reasonable assistance available to small businesses in terms of filling out these forms. There are loads of “yes, but” answers when it comes to providing answers to these attestations in the small business context, and it would be very helpful to small businesses if large enterprise helped out in a meaningful way. I see it all the time where an enterprise will hold a small 10-person start-up to the same security standards and certifications as they would Amazon, SAP, Oracle, or Microsoft.
Some of the ridiculousness that I’ve seen coming out of large corporate requirements include:
- Requiring PCI-DSS compliance even though the software provider doesn’t handle payments or cards
- Requiring documented compliance to both CCPA (California) and GDPR (Europe) for a solution that would never touch data from or in either of those regions
- Requiring SOC2 datacentre certification for an on-premises solution hosted by the enterprise themselves
- Requiring a manned 24/7 Security Operations Centre for a system that was neither business critical nor hosted sensitive data
Part of the problem in these instances is that the folks sending attestations to small businesses are not information officers, cybersecurity professionals, ITGC auditors or similar, but instead are risk managers outside of the technical space. I understand that not everyone can be technically inclined, so there needs to be some form of escalation to the information security office, CIO, or Information Officer. There needs to be an open conversation about what applies to small business and what doesn’t. This would surely be more efficient for both sides.
This does not mean that small businesses are off the hook here. It is the duty of the small business to ensure they are following some sort of documented process to harden their systems. Implementing quarterly vulnerability assessments, developing with OWASP standards in place, and using freely available standards like CIS Benchmarks will go a long way in allowing you to justify not having a particular certification. It is also advisable to have someone in the organisation trained in some form of security. I’d highly recommend sending whoever is responsible for your deployments on a CEH certification or similar.
Big Corporate is neither bad, nor entirely wrong
All the above said, enterprise level practices are certainly not bad. They are incredibly robust and defined – which is something you need when you’re dealing with sensitive information, hundreds of employees, and the risk that big business runs with. It is also something niche software providers must consider in terms of what data they’re housing. If you’re building a small non-critical application, you can probably handle your own compliance in a hybrid approach, but if you’re handling mission critical data you should factor in certified compliance to something like ISO27001.
Similarly, privacy has it’s challenges too. All companies, big or small, need to comply with data privacy regulation, the trick is in how you do so. A small business will take a very different approach, but will still comply. Software businesses have a duty to stay within earshot of corporate requirements and implement what makes sense for them, and at the same time, I believe that enterprises need to realise that a small software provider may take a different route to compliance, and should be supported instead of shot down.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.