430 W4 DQ2

What would you consider to be one of the major challenges when implementing a security program into a small-medium sized organization (SMB)? Explain.

Reply to responses

A Cody

Hello Professor Ligon and Class,

Small-Medium sized organizations are very different than large organizations when it comes to their implementations of security programs. One of the main challenges that a small-medium sized organization may have compared to a large organization is figuring out the amount of time and resources that need to be spent on their security program. A large organization most likely has unlimited funds and resources that they could spend on making their security program the best since they make more money and have a lot more assets and information to protect. On the other hand, a small-medium sized organization has to stay within very small boundaries that regulate how much time and money they should spend on security. Ideally, a small-medium sized organization would need to spend the most minimal amount of time and money for a fully secure security program, but this is hard to gauge and ultimately obtain. If I was in control of a small-medium sized organization’s security program, I would hire the right amount of security personnel that are knowledgeable and trustworthy in comparison to a good sized ratio of how many employees we had at the time. In the the beginning, I would allow a larger budget to outsource for more help on building the initial security program but once the security program was established, I would back off on the outsourcing and I would lower the budget for security incrementally until I felt like I found the sweet spot.

B Jacob

Good evening Professor Ligon and class,

Small-medium-sized businesses (SMBs) at times are fighting an uphill battle with the big corporate business that runs the world. Money, time, and employees are usually the cause of this battle just because the SMBs are smaller in nature. At the same time, SMBs are what make the world go round since there is a big push now to support these SMBs, especially with Covid-19 making a big impact in the world. An issue that these SMBs must understand and have issues with unlike big businesses’ is security. “IT matters to small-medium business success, and security matters to IT success” (IS Decisions, n.d.). With technology quickly evolving around the SMB, they must adapt to new ways to keep current with all the threats that are out there. Most SMBs are a big target to attackers because these businesses do not have the proper defenses set in place to protect them from possible attacks. The challenge for this disadvantage is having a lack of something. This something can be resources, cost, training, or even time. SMBs can have trouble juggling these roadblocks since they all play an important role in everyday operations. Without the proper resources, SMBs do not have the ability to update or upgrade the proper infrastructure. Most SMBs do not utilize the correct IT department which hurts employees in receiving the proper training and education on attacks. Finally, time is not 24 hours 7 days week mentality for SMBs. Most only operate day to day and must worry about keeping their doors open without the top coverage from higher corporate levels. This is not to say that SMBs cannot be security-minded. They must understand what works for them and implement a plan that they can have real-time results in that once the baseline of the security efforts is established and you have something fall outside that baseline, you can act quickly rather than seeing the damages once it is too late.

C Aaron

There can be a lot of challenges that a person is faced when implementing a security program into a small-medium sized organization. For one, it would have to be the financial aspect in being able to implement the program efficiently. The financial restraints can range from hardware to software upgrades to stay current with all the necessary security patches. The costs of upgrading software can be very costly and to keep the company profitable, other things are considered critical like the product development or marketing (Kohen, 2017). Some other reason might be but not limited to Lack of Resources, Lack of Expertise/ Understanding, Lack of Information, and or Lack of Training. In 2016 there were 55% of SMBs that were breached and in 2017 that percentage increased to 61% based on the Ponemon Institute Study and they are targeted because they are lucrative as they don’t have the sufficient defenses in place in order to protect themselves (IS Decisions, N/A).

B Cody

Hello Professor Ligon and Class,

    Since I am most interested in the Cybersecurity area of the IT field, I have chose 3 paths for the three different Cybersecurity jobs. From the website that I was researching this information from, they would mention that for all of the listed Cybersecurity career paths, a degree is not needed. More specifically, “While you don’t necessarily need a degree to get a job in cybersecurity, having some form of structured training might accelerate your path toward a job.”(Coursera, 2022). Personally, I do not see how having an IT or Cybersecurity degree could not help out in finding a good job quicker but they describe certifications as being very useful in getting a job. First, Cyber Security Engineering and Architecture requires someone to gain certificates, such as the CompTIA Security+, Systems Security Certified Practitioner (SSCP), Certified Information Systems Security Professional (CISSP), and Google Professional Cloud Security Engineer certificates. After first becoming a Cybersecurity engineer, you may then move up to become a cybersecurity architect. The next career path that I found was an incident responder. The seemed like a cool job as they help out law enforcement find cybercrime and if you were good at it you could catch and remove any cybercrime that has happened to your own personal computers. The certificates recommended to be wanted for this position consist of the GIAC Certified Incident Handler (GCIH), EC-Council Certified Incident Handler (ECIH), Certified Computer Examiner (CCE), and Certified Computer Forensics Examiner (CCFE) certificates. Lastly, the route of penetration testing, or ethical hacking, had a different set of certificates to obtain. This seems like a good route because it describes outsmarting the bad guys and being able to implement fixes or provide advice for fixing upper level vulnerabilities. To be sought after for this, you would need certificates such as the Certified Ethical Hacker (CEH), CompTIA PenTest+, GIAC Penetration Tester (GPEN), and the Offensive Security Certified Professional (OSCP) certificate. 

C Jessica

Prof. Ligon, 

    The IT and Cybersecurity fields have been steadily increasing in number and demand, and since the Covid-19 pandemic hit, has blown up exponentially with the popularity of remote work and the increasing need for network security (Indeed Editorial Team, 2021).

Information Security Analysts are generally tasked with the responsibilities of planning and implementing security measures intended to protect company networks and other computer systems. Information Security Analysts are vital to a company’s network security as they are meant to both monitor for current known threats, but to also perform constant research on new threats and vulnerabilities. They are also generally tasked with creating procedural documents in the case of emergencies. The general requirements for this position include a bachelor’s degree in information technology or a closely related field, the Certified Information Systems Security Professional (CISSP) certification or other certifications involving penetration testing or system auditing, and it is recommended that someone in this position have at least 2 years in a similar or related occupation. For soft skills, it is recommended that the individual possesses good problem solving skills, analytical skills, and is highly detail-oriented (U.S. Bureau of Labor Statistics, 2021). 

Network and Computer Systems Administrators are responsible for the overall day-to-day operation and maintenance for the network. Their general focus is the physical hardware and software of the network, which includes the computer systems, necessary applications and programs, and the physical components to the LANs and WANs attached to the network. Depending on their experience, they may also be tasked with designing and analyzing network models and then implementing those changes. The general requirements for this position include a bachelor’s or associate’s degree in information technology or a closely related field, for certification, it is generally required that the Administrator be certified with the products they use to ultimately prove competency and knowledge of recommended practices with those products, and it is recommended that someone in this position have some experience in a similar or related occupation, but ultimately the certifications should be able to prove competency. For soft skills, it is recommended that the individual possesses good problem solving skills, analytical skills, and communication skills (U.S. Bureau of Labor Statistics, 2021).