[IntFee588]

"Select and support a 'Security Program Manager.' This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program."

Somewhat contradictory. A "security program manager" can't implement good security if they don't know what it looks like, even if given a checklist.

This reads like the sort of document that the government publishes because it has a fiduciary to protect the vaunted "small business owner," similar to "fraud awareness" campaigns, but is more laying the groundwork to say that they told you so, rather than real protection.

[johngalt]

I doubt CISA believes that technical and cybersecurity experience is irrelevant. This is their way to say "put someone in charge of it."

Two reasons for this:

1. The failure mode for most SMB operational risks is "no one was behind the wheel. No one thought it was their responsibility." If someone is clearly identified as responsible, they can set the basic guidelines that most people already know should be done.

2. Once the term "responsible for X" is on the table, it will tend to push the business towards hiring skilled personnel. Precisely because no one wants to take that on. Recommend that a business hire a skilled IT security headcount at market rates, and all the stakeholders will vote no. Ask a business "who is responsible for IT security? Who will handle an incident or breach?" And they will hire an IT security person after no one steps forward.

[patrakov]

Exactly.

We have interviewed a fake cybersecurity specialist some time ago. And I still use this experience as the main evidence that a pure compliance role, without technical expertise in system administration, does not make any sense. "He will make sure that there is a firewall everywhere, but will not make sure that your database is only accessible from the EC2 instance that runs your web app".