Industry solutions are tailored for big companies and big budgets--leaving SMBs in the dust.
While talking to a colleague several weeks ago, I mentioned that I was going to be in New York City for a security conference. I pointed out that I was doing the event "on the cheap" since I had not budgeted for it; I was very proud that I was going to spend a week in Manhattan, attend a conference and only cost my company $300. My colleague replied, "Remember when you could blow $300 on breakfast and no one would notice?"
That offhand remark about lush expense accounts really made me think about how my situation had changed.
When I started my career, I worked for the Big 6 (now the Big 4) accounting/consulting firms and have since worked for several Fortune 500 infosecurity consulting companies. As a security consultant, I always preached best practices and big-budget solutions. Many of my Fortune 500 clients were readily willing to make whatever changes were necessary to bolster their IT security and comply with government mandates. While cost was a consideration, it was not a major concern.
But in my current job--information systems security manager for a regional bank with about 300 employees and 15 branches in upstate New York--things are very different.
For small to midsize businesses, cost is at the top of everyone's mind when it comes to handling IT security issues. While wearing my regional banker hat, my approach is more along the lines of, "I really would like to follow best practices and put in that new security device, but where am I going to get the money and do we really need the product?"
My employer is a publicly traded company, and we have to deal with all the same legislated compliance issues as our larger brethren. Essentially, we have the same compliance requirements without the deep pockets.
Recently, we had internal debates about how to effectively retain e-mail without busting the proverbial bank. Doing nothing would put my bank at risk from both compliance and security perspectives, but doing too much would put our earnings at risk. These types of decisions are really what drives IT security planning at our organization.
This dichotomy between large and small companies really bothers me. Most people in my position read about solutions in various industry magazines and newsletters. There are tons of conferences that talk about IT security issues and how to address problems. The key thing is that all these media are targeted at large corporations with big budgets. What about us little guys?
You might wonder if I miss my old life and my big budget. Quite truthfully, I don't. It's nice not having to hop on a plane every week, plus I get to spend a lot more time with my family. It's also a heck of a lot more challenging creating an effective IT security environment in a small company.
That said, I do kind of miss my $300 breakfasts.