One of the most significant factors influencing SMEs when selecting security controls is management of customer expectations, not just pragmatic risk management or common industry standards, as you might expect. Supply-chain security management through due diligence activities is often responsible for this approach.
Many organisations manage their supply chain through generic security questionnaires and follow-up activities without any consideration to the supplier's environment, its provision of products/services and risk management. "Supply-chain management fatigue" is a well-known phenomenon and therefore this is perhaps understandable, but the one-size-fits-all approach can lead to weaker security models.
Compounding the problem are the imposed control themselves – it's common to see prescriptive controls which are outdated and incompatible with modern IT infrastructure, they may even represent entirely obsolete security practices. It's also rare to give the supplier the option to express a 'statement of applicability' when addressing the customers control set.
When control-set trends across multiple customers emerge, its usually easier for the supplier to take the path of least resistance and simply adopt the control, rather than justify and negotiate an alternative approach - multiplied by each party. For isolated controls this may not have any significant bearing, unless the control creates unnecessary costs or overheads. Problems can arise when hasty adoption of generic security controls leads to misunderstanding of the control's effect when integrated with other controls or in a wider context, or even worse, an exaggerated impression of value that the control provides. People, process and technology controls are all affected by these influences – but as technology develops at a rapid pace it's usually the technical controls which don't keep up.
A good example is Network Intrusion Detection System (NIDS) which still recognised as a well-regarded 'cyber resilience' control across many due-diligence processes. In the pre-pandemic world, perhaps NIDS still had a place in many environments, but we've moved to remote working en masse and zero-trust architecture has become common place; such controls for many SMEs could have little or no relevance. Deployment of a NIDS, even if you could identify suitable network positions, will inevitably lead to a false sense of cyber resilience, particularly in the end-user environment.
Larger organisations are now using different supplier patterns based on the regulatory environment and/or data assets being processed; these are a step in the right direction, but ultimately the prescriptive controls found in many due diligence processes are failing to keep up and are influencing SMEs into poor decision making, damaging the role of balanced risk management in security management.