I am not claiming to be a network security expert, but here is a trend: while SMBs consistently place network security as their number one IT priority (Gartner SMB IT survey is only one example), many CEOs have “outsourced” the issue to their overworked IT departments, assuming that they will know what to do. As a CEO/CFO or any other C-level executive, there are some questions you should ask yourself about your network security and about the assets you actually protect.
What is the business impact of network security breaches? Actually, I can’t answer this question for you without knowing your business. What I do know is that there is something you want to protect. It can be as simple as a customer list with all the data you have accumulated on their buying habits, it can be your financials, it can be the specs of your new product or your customers’ credit card data. The business damage can be loss of customers, loss of credibility or even lawsuits from customers whose data got exposed.

But why do C-level executives need to be involved? Network security is a subset of the network, and this is why you pay your IT director, isn’t it? His team created the network to begin with, so they can keep it secure. This perception can change if you spend few hours with your IT staff. The average IT department is constantly putting out fires: between user questions, software installations, patches updates, laptop configuration and more, they just don’t have time to think and plan ahead. They also suffer from…you. When they come to you with projects that are not urgent, you usually find a way to convince them that it is not that important.
What’s the pitfall in network security? Many C-level executives in SMB companies apply the physical security theories on network security: I have a modest house, why would anyone steal from me? In reality, hackers don’t care if you are big or small or if you protect your 35M of annual revenue or the 350B of Wal-Mart. Unlike the physical world, they are not limited by geography or even capacity: they can attack anyone in the world and try thousands of times a day, so instead of “studying the neighborhood before they act” they just hit the entire city and enter any unlocked door.
The vulnerabilities in your network are like signs calling to hackers to try them out—and trust them, they will. Just like insurance, you can’t wait for the damage to happen and buy it after the fact. You have to assess your level of risk and get the right level protection.