You Don't Need an Enterprise
Security Program. You Need
Someone Accountable.

I've had this conversation more times than I can count. A business owner, somewhere between 15 and 150 employees, finally sits down with me after something went wrong—or after a client asked them to fill out a security questionnaire they couldn't answer—and the first thing they say is some version of: "We're too small to be a real target." The second thing they say, usually within the same breath, is: "We can't afford to do security the way the big companies do it." Both of those statements are wrong. The first one is dangerously wrong. The second one is a false choice that's kept a lot of small businesses exposed for no good reason.

You don't need a 20-person security team, a SIEM with a seven-figure contract, or a 200-page information security policy to protect a small business. But you do need someone who is actually responsible when something goes wrong—someone who made deliberate decisions about your risk posture, can explain those decisions, and can be held accountable for them. Most small businesses have no one filling that role. That gap is exactly what attackers count on.

The shift happened gradually and then all at once. Large enterprises spent the better part of a decade hardening their perimeters, building security operations centers, deploying endpoint detection tools, and paying significant salaries to keep experienced security staff. The result: attacking a Fortune 500 company is a difficult, high-effort operation that often fails or triggers a rapid, experienced response. Attacking a 30-person accounting firm, a regional law practice, or a medical group with two locations is a different calculation entirely.

Verizon's Data Breach Investigations Report has tracked this trend consistently. Small businesses account for a substantial share of confirmed data breaches annually—not because they're targeted with sophisticated nation-state tooling, but because the basics aren't in place. No multi-factor authentication. Outdated software. Employees clicking phishing links because no one trained them not to. Backups that haven't been tested. Passwords reused across personal and business accounts. These aren't exotic attack vectors. They're routine, and they work.

The economics of modern ransomware made this worse. Ransomware-as-a-service lowered the barrier to entry for attackers to near zero. You no longer need technical sophistication to run a ransomware campaign—you rent the tools, buy access to compromised credentials on dark web markets, and let automation do the work. Small businesses became targets of opportunity at industrial scale. The ransom demands are sized to what small businesses can actually pay: $15,000, $50,000, $200,000. Big enough to hurt. Small enough that many victims calculate it's cheaper to pay than to fight.

Government contractors sit in a uniquely exposed position. If you're pursuing or holding federal contracts, your systems touch government data or federal contractor information. That makes you a supply chain target. It's also why CMMC—the Cybersecurity Maturity Model Certification framework for defense contractors—now requires documented security practices as a condition of contract eligibility. The government isn't asking nicely. If your business depends on federal contracts and you can't demonstrate a baseline security posture, you lose work. That's a new reality for a lot of small contractors in the aerospace, defense, and government services space.

When I do an initial assessment with a small business, I'm not usually surprised by the technical gaps I find. Unpatched systems, weak password policies, no incident response plan—these are common and fixable. What I'm consistently struck by is the accountability vacuum. Nobody owns this. The IT person—if there is one—keeps the lights on and the printers working. The office manager handles vendor relationships. The owner has seventeen other things demanding attention on any given Tuesday. Security decisions get made by default, which means they don't get made at all.

This matters enormously when something goes wrong. A ransomware event doesn't just break your systems—it triggers a cascade of decisions that have to be made fast, under pressure, with incomplete information. Do you pay the ransom? Who makes that call? Do you have cyber insurance, and does it cover ransomware payments? What are your notification obligations if client data was accessed? Who calls the clients? Who calls the insurer? Who calls the attorney? In a large organization, there are people with designated roles for each of those questions. In a 20-person business, those questions land on the owner simultaneously, at 11 PM on a Thursday, when the systems have been down for six hours and employees can't work.

The accountability gap shows up in subtler ways too. Without someone responsible for security decisions, businesses end up with a collection of disconnected tools nobody manages—antivirus software that hasn't been updated, a firewall configured by a vendor three years ago that nobody has reviewed, a cloud storage account where employees dump client files with no access controls. The technology is there. The intentionality isn't. And when something goes wrong, nobody can answer the basic questions: Did we have a policy covering this? Was anyone responsible for enforcing it? What decisions were made about our risk exposure, and by whom?

For government contractors, the accountability question has a regulatory dimension. CMMC requires that someone at the organization can attest to the implementation and maintenance of specific security practices. That attestation has legal weight. If you're signing a System Security Plan or a SPRS score submission, you are personally asserting that your security controls are in place. If they aren't, and that's discovered during an assessment or after an incident, the exposure isn't just contract loss—it's potential False Claims Act liability. That's a serious consequence for a small business owner who assumed someone else was handling it.

The good news is that a 20-person company doesn't need to do what a 2,000-person company does. The basics, done consistently and with intentionality, close off the vast majority of the attack surface that small businesses get exploited through. The bad news is that even the basics require someone who knows what they are, knows when they're not in place, and is empowered to fix them.

NIST released version 2.0 of its Cybersecurity Framework in February 2024, and one of the substantive additions was a new "Govern" function that explicitly recognizes organizational accountability as a security control. This isn't academic—it reflects what practitioners have known for a long time: the technical controls only work if someone is responsible for them. The framework now formally acknowledges what small business owners often discover too late: security is a management function, not just an IT function.

None of those require a sophisticated security program. They require decisions, documentation, and follow-through. They require someone who checks that they're actually happening, not just assumed to be. For most small businesses, that someone doesn't exist—which is why the basics so often aren't in place even when an owner is genuinely trying to do the right thing.

Healthcare practices have an additional layer of obligation under HIPAA that demands this intentionality. A risk analysis isn't optional under the Security Rule—it's a required implementation specification. That risk analysis has to be documented, it has to be updated when material changes occur, and it has to actually drive the security decisions the practice makes. Many small medical practices have paid HIPAA penalties not because they had a catastrophic breach, but because they couldn't demonstrate that anyone was systematically responsible for security decisions. The OCR looks for evidence of accountability, and they don't always find it.

A full-time CISO in a major market costs $250,000 to $400,000 in total compensation. That's not a realistic option for a 30-person professional services firm or a regional healthcare practice. So many small businesses default to the IT provider they use for helpdesk support, who may be excellent at keeping systems running but has neither the training nor the mandate to make security governance decisions. Or they default to nothing, which is where the real risk lives.

The fractional CISO model exists precisely for this space. It's not a new idea—fractional CFOs and general counsel have served small businesses for decades, providing executive-level expertise on a part-time or retainer basis without the overhead of a full-time hire. The same logic applies to security. A fractional CISO brings the judgment, experience, and accountability of a senior security executive to organizations that need that capability but can't justify the full-time cost.

What that looks like in practice varies by engagement. For a 20-person firm, it might be a few hours a month: reviewing the security posture, making sure the basics are in place, being available when a client asks a security question or when an incident requires a decision. For a government contractor working toward CMMC compliance, it might be a structured engagement over several months to build out the required documentation, close the control gaps, and prepare for assessment. For a healthcare practice navigating a HIPAA audit response, it's someone who has done this before, knows what OCR is actually looking for, and can keep the practice from making expensive mistakes under pressure.

The business case isn't complicated. Cyber insurance carriers are tightening underwriting requirements—many now require documented security controls and MFA as a condition of coverage. A fractional CISO engagement that helps you meet those requirements can pay for itself in insurance premium reduction alone. CMMC compliance is a contract eligibility requirement for defense contractors; the cost of non-compliance is disqualification from the work. HIPAA penalties for small practices regularly run into six figures; a single enforcement action dwarfs years of advisory fees.

But the most honest business case is simpler than any of that. You are personally responsible for the security decisions made in your organization. If you're the owner, managing partner, or operator of a small business, those decisions are yours whether you've made them deliberately or by default. The question isn't whether to be accountable—you already are. The question is whether you want to be accountable with someone qualified helping you make good decisions, or accountable alone when something goes wrong and you have to explain what decisions were made and by whom.

If your honest answer to the accountability test earlier was "we have nothing formal in place," that's not unusual and it's not a catastrophe. It's a starting point. The goal isn't to transform overnight into an organization with a mature security program. The goal is to close the most critical gaps first, get accountability established, and build from there.

The SBA's cybersecurity resources for small businesses are a reasonable orientation point if you want to understand what the federal government considers baseline for organizations your size. The NIST CSF 2.0 is publicly available and provides a structured way to think about where your gaps are across five functional areas. Neither of those documents will replace human judgment about your specific environment, your regulatory obligations, or the actual threats most relevant to your industry—but they give you a frame of reference for what "baseline" looks like.

The more practical starting point is a straightforward assessment: what data do you hold, who has access to it, what would happen if it were compromised or unavailable, and is someone responsible for ensuring that doesn't happen? Most small businesses can answer the first two questions reasonably well. The last one is where the gap usually lives. Once you've named it, you can decide how to address it.

The common thread across all of those sectors is that regulators and clients are no longer accepting "we're too small to have a formal security program" as a satisfactory answer. The expectation of accountability exists regardless of your headcount. What changes at different sizes is the complexity of the program needed to meet that expectation—not whether the expectation applies to you.

I started this piece with the two things small business owners tell me most often. Let me end with the version of this I hear sometimes after an incident, after the crisis has passed and the cleanup bill is sitting on the desk. It goes something like: "I knew we should have done more. I just didn't know what to prioritize, and I kept putting it off." That's not negligence. That's the predictable result of running a business without someone whose job is specifically to answer those questions. The fix isn't complicated. But it does require making a decision—which, as it turns out, is exactly the thing that's been missing.