Cybersecurity Starts at the Top (Episode 2)

Governance and Risk Management

Noel G Alexander: Hey everyone, welcome back to "How Secure Is Your Business – Really?" I'm your host, Noel Alexander, and today, I wanna get into a topic that really sets the direction for every other cybersecurity decision in your organization: leadership and accountability. Now, if you caught our first episode, you’ll remember we talked a lot about the basics—those simple wins that can make a huge difference for SMBs, right? Well, today we’re moving up a level. We’re talking about how cyber risk isn’t just an IT problem, or something you can delegate purely to your tech team. No, it has to start at the very top—your executives, your board, basically anyone in a position to steer the ship.

Noel G Alexander: ..So, why does leadership own this? I mean, look, you can have all the firewalls and security software in the world, but if nobody at the top gives it direction, it gets messy—fast. That’s where roles like your Chief Information Security Officer, or CISO, come in. The CISO acts as the bridge between what’s important for your business and your security priorities. Now, I know what you’re thinking—“We can’t afford a full-time CISO.” Totally fair. A lot of SMBs are in that boat. And that’s where the vCISO—virtual CISO—model makes sense: you get leadership and expertise, but on a fractional basis. It's kind of like having a consultant in your corner, but they’re hands-on and focused just on your risk.

Noel G Alexander: ..Let me share a quick story. There was this regional healthcare provider—I’m not going to name names—but after a ransomware attack, their patient records were offline for weeks. Big headache. Turns out, they were letting the IT helpdesk team run the show without any real oversight, and, well, you can guess how that worked out. So after the incident, the board finally stepped in and brought on a vCISO. What changed? Suddenly, there were clear channels between IT, compliance, and the executive team. Regular risk discussions. Within six months, not only did their security posture improve, but the community actually felt more comfortable trusting them with sensitive data again. That’s the power of visible, accountable leadership.

Noel G Alexander: ..Now, if you’re wondering how to apply some of this, here’s a really practical tip: form a cybersecurity oversight committee. It could be some IT folks, a board liaison, an exec or two. Meet quarterly—really, just commit to that rhythm—look at what risks have popped up, review any incidents, track your progress. And make sure you document this stuff. Accountability is so much easier to manage when everyone knows what’s expected, and there’s a record of who’s doing what.

Making Sense of Compliance and Standards

Noel G Alexander: ..Alright, so let’s shift a bit here. Because once that leadership piece is in place, every SMB starts hearing about compliance—NIST, PCI DSS, HIPAA, ISO. Feels like alphabet soup, right? I joke about it, but I remember the first time someone handed me the NIST Cybersecurity Framework and my eyes just glazed over. But these standards aren’t just paperwork for auditors; they actually help organize your security program in a way that’s proven to work.

Noel G Alexander: ..Quick rundown: NIST CSF is all about those five actions—identify, protect, detect, respond, and recover. If you can remember those, you’re already ahead of the game. ISO 27001? That’s the gold standard for a formal information security management system, and yeah, it’s recognized worldwide. For those handling credit cards—PCI DSS is a must, no way around it. And then HIPAA is what healthcare has to worry about with all that patient data.

Noel G Alexander: ..Here’s a real-life example—an e-commerce startup I worked with. HIPAA wasn’t even on their radar, but investors and payment processors demanded PCI DSS compliance. By mapping their controls to PCI requirements, not only did they meet the minimum bar, they actually reassured investors that they could scale securely. That mapping exercise helped them kill two birds with one stone.

Noel G Alexander: ..So here’s my advice, especially for SMBs: don’t try to boil the ocean. Nobody expects you to comply with everything under the sun. Start with what’s required by your industry and what your customers or partners expect. If you need to check more than one box, do a mapping exercise—see where controls overlap. Sometimes what you’re already doing for PCI, for instance, might knock off a ton of ISO requirements. And make it about your business first, not just the framework. That’s how you avoid getting buried in paperwork and make compliance actually support your strategy, not just your auditors.

Managing Risk and Enforcing Policy Effectively

Noel G Alexander: ..Now, let’s get down to what actually matters in the day-to-day—managing risk and making sure policies stick. And I know “risk assessment” sounds intimidating, especially for smaller organizations, but at its core, really, it’s just figuring out what could go wrong and how bad would that be. I might be oversimplifying a bit, but that’s the main question.

Noel G Alexander: ..Most people think of hackers, but risk comes in a lotta forms—data breaches, accidental mistakes, supply chain hiccups, even natural disasters. The trick is, you wanna analyze how likely each risk is, and how much damage it’d cause, and then rank ‘em. If you’ve never done a risk register before, imagine a spreadsheet: you track each risk, assign an owner, score the likelihood and impact, and decide what you’ll do about it.

Noel G Alexander: ..Here’s a quick case study—a logistics company did their first formal risk assessment and, believe it or not, the biggest threat wasn’t hackers at all. It was that all their systems lived in a single data center that was, uh, conveniently sitting in a floodplain. Not a great idea. Switching to a cloud backup actually did more for their resilience than spending another dollar on firewalls or antivirus. So sometimes it’s not the technical stuff that saves you—it’s thinking a little wider.

Noel G Alexander: ..Policies—this is where the rubber meets the road. You need clear, practical rules: what’s allowed, what’s not, and what happens if you break them. I’ll admit, sometimes I write these policies and think, “Is anyone gonna actually read this?” But real change happens when you roll stuff out in plain language. For instance, I once worked at a finance firm that banned personal devices on corporate Wi-Fi. At first, everyone ignored it. So IT started enforcing it technically, with network controls, and compliance shot way up. Malware incidents? Dropped off a cliff. Key is, you give everyone a heads-up, do some training, answer questions—then make it stick gradually, not overnight with a hammer.

Noel G Alexander: ..So, look—if you take anything from today, let it be this: governance and risk management gives you direction and focus. It starts with leadership, not IT, and compliance should work for your business, not against it. Risk assessments can uncover stuff you never thought about. And policies? Keep ‘em simple, enforce ‘em fairly, and actually talk with your people—don’t just send a memo. Alright, that’s it for this episode. Next time, we’ll dig into practical approaches and tools for asset management. Lastly, you may purchase a copy of my book, A Simple Guide to Cybersecurity for Small and Medium-sized Businesses, on Amazon, or for a complimentary copy, send an email request with your name, phone number, and company name to noelga@vastmanagementcorp.com. Until then, ask yourself—how secure is your business, really?