Information Security for Small and Midsized Businesses – An Essential Guide for SMBs and vCISOs Alike

If you practice as a virtual CISO long enough, you begin to discern commonalities among the clients you serve. Among these is the lack of understanding of what we in the information security community would consider basic principles. If not addressed, the potential success of the virtual CISO is in doubt.

Being a virtual CISO is difficult. You’re part Chief Information Security Officer, part consultant, part entrepreneur, and part small and midsized business strategist. I have often said that many CISOs would not make good virtual CISOs, and vice versa. I have zero global CISO experience and wouldn’t do well managing a team of 100 or more across multiple time zones. Conversely, one in that position would find it difficult to shift to the virtual CISO realm.

Why? Because there are major differences between information security practices from small businesses to global enterprises. Sure, they all start from the same place, protecting their information. But it diverges there. I have found over the past seven years as a practicing virtual CISO that “vCISOing” at times is much more art than science. I am an SMB counselor. It is important that at the start of the relationship that I understand the business and their risk tolerance.

However, you’re not going to find many SMBs with a written risk tolerance statement. Yet you can discern such as the trusted advisor, if you’re proficient in business communication. It’s rarely enough, or even proper, to throw a framework at an SMB as the sole information security strategy. Sure, frameworks are important, and we start from determining what is appropriate for an SMB (often NIST CSF; CIS 18 s appropriate as well). But that’s not the end of building and managing the program, it’s the beginning.

Information security, at its core, is risk management. Most SMBs don’t understand the concept or value of a risk register. Unfortunately, I’m not sure the majority of virtual CISOs do as well. Yet, I submit that is the most important tool for the client. Gapping against a framework will give you a binary view of what you do or not do, but a risk register will go further, explaining why and documenting risk-based decisions. It provides depth to the security risk management program, going from two dimensional to three dimensional.

That’s where a virtual CISO can add value way beyond information security. An excellent and competent virtual CISO will serve as a risk management educator to SMBs. They, through thinking like a risk manager, mentor by association the business in risk management beyond information security. A positive side effect is the virtual CISO learns and understands more about the business and its processes and risk tolerances. It’s a great feedback loop. With that, the virtual CISO can better serve in their primary duty of advising the business on managing information security risk.

Most security references do not teach information security pros or SMB executives how to think like an information security risk manager. As a result, SMBs most often view information security as purely cybersecurity—focused on technical issues and ignoring other areas such as governance, risk management, and awareness training beyond compliance.

I don’t know if there is any way to properly learn this beyond experience. The virtual CISO needs to understand what to ignore. Don’t take that literally; obviously all aspects of information security should be addressed. But the effective vCISO will understand risk prioritization. They will be able to tell the SMB that “no” is an appropriate response to considering applying a control and that accepting a risk is proper given the environment.

There needs to be a merger from both sides for this to happen. The virtual CISO needs to have considerable business acumen and communicative skills. On the other side, the SMB executives need to understand basic information security concepts in a language they understand.

This is the primary reason I wrote Information Security for Small and Midsized Businesses. I found myself in my vCISO career encountering SMB executives who did not understand that information security transcends cybersecurity—in other words, information security is much more than implementation and management of technical controls like firewalls and EDR systems. As a result, I began spending more time educating SMBs on what we in the industry would consider relatively simple concepts, in business language, not infosec-speak.

As time passed, I realized any of these sessions were repetitive across clients, and a compilation of such would make for a good primer guide for SMBs. What began as a lead magnet on vCISO Services, LLC’s website became the valuable reference available today. It is my intention that Information Security for Small and Midsized Businesses provides SMBs with a pragmatic understanding of the information security risks they face and potential ways to address them.

The book also holds value for the virtual CISO by functioning as a guide for how to explain such concepts to their clients. Too often jumping to technical or industry jargon may result in “deer in the headlights” reactions from the client. They may say they understand, but do they? The virtual CISO responsibly serves their clients only when they have fully advised them on information security risk. This book, like other tools focused on delivering support for the virtual CISO, including Cynomi, can help with that. Full transparency—vCISO Services, LLC is a Cynomi partner.

Ultimately, my goal is to help improve SMB security; this is just one initiative. Nor is it static. While the third edition was released not long ago in late June 2024, I am already compiling feedback for the fourth edition, planned for release in 2026. Technology, the threat environment, and our field constantly evolve, and therefore so should this book adapt to those changes. On that note, I am always interested in constructive suggestions for the next edition.

We are in this fight together. Whether you’re an SMB executive, a practicing (or aspiring) vCISO, or one interested in SMB security needs, Information Security for Small and Midsized Businesses helps achieving the goal we all want—as secure an environment as possible for SMB information and processes.