I contend that at least half of the companies in the US and other industrialized countries are critically overexposed to IT & Information Management risk and that this population of highly vulnerable companies is primarily compromised of medium and small sized companies, aka SME’s (Small and Medium sized Enterprises).

The problem is that the techniques and approaches in the fairly fledgling field of IT risk management usually are developed from or apply to very large companies that differ significantly in scale from SME’s.

Often the IT risk management techniques envisioned for large companies don’t scale down to SME’s. For SME’s, quantities of analytical data, staffing, operational bandwidth are all in short supply.  Also, because of their smaller size, impacts such as total dollar loss from adverse information events such as hacking, malware, fraud, etc are usually lower than that of large companies and compromises, breaches, disclosures can be less newsworthy per event.  However, there are a large number of small and medium size companies.

It turns out that company sizes in industrial countries follow the Zipf distribution where a few very large companies coexist with a lot of much smaller companies.  This is a similar distribution to what Chris Anderson popularized in his Wired magazine article The Long Tail in 2004.  For example, Anderson talks about the record industry historically focusing on the revenue generated from hits (few in number but large in revenue) and missing the fact that there were many non-hit songs generating substantial revenue when viewed in aggregate.  Similarly, there are a few really big companies and a lot of smaller companies.   This high number of smaller companies (like the number of non-hit songs) is the part known as the long tail.  And this is the part suffering the overexposure to information risk because of a lack of tools, methods, and shared approaches between companies.

The challenge is that many of the information risk management techniques and processes used by the relatively few very big companies don’t work well for smaller companies.  This is due largely, but not entirely, to resource constraints of smaller companies.   Staff in smaller companies frequently wear multiple hats and are eyeball-deep in sales, innovation, marketing, infrastructure development, and management of risk is often down the priority list.

As a whole, we end up with part of the population, the few large companies, with reasonable IT risk management capabilities and the other part, the medium and small companies, with poor IT risk management capabilities.

For the sake of argument, say that half the working population is in the few very large companies and the other half is in many small and medium size companies.  Oversimplifying a bit, this means that half of the working population are in companies able to manage risk and the other half are in companies that can’t.

What can be done to enhance the capability of that half that currently can’t manage information risk effectively (or at all)?  What can we do to provide small and medium sized companies risk management tools that are pragmatic and implementable? We need techniques and mechanisms and to share learned experiences in performing risk management in small and medium sized companies.

Do you work in a small to medium sized company? How do you address IT risk management? What other reasons do you see for lack of IT risk management in medium and small sized companies?