Listen to this episode on:
Spotify
Apple Podcasts
YouTubeScreenly Changelog episode 19: Fractional CISO, Cybersecurity Reality, and Why Tools Fail SMBs
Cybersecurity for small and mid-sized businesses is often framed as a tooling problem. Buy the right platform, pass compliance, and you’re covered. In practice, that model breaks down quickly.
In this episode of the Screenly Changelog, Viktor Petersson and Daniel Mountcastle sit down with Dominic Vogel, Founder of Vogel Cyber Leadership and Coaching and a fractional CISO working closely with manufacturing and SMB environments. Dominic brings a grounded view of what cybersecurity actually looks like inside organizations that do not have dedicated security teams.
The conversation focuses on where security efforts fail, how incentives shape decisions, and why most organizations are solving the wrong problems. Watch the full conversation above or read the highlights below.
Security is not a tooling problem
A recurring theme in the discussion is that most organizations are not under-tooled. They are overwhelmed.
Many SMBs accumulate security tools over time, often driven by vendor recommendations or compliance checklists. What they lack is the ability to operate those tools effectively. Alerts pile up, configurations drift, and no one owns the outcome.
The result is a false sense of security. Systems exist, but they are not actively protecting the business. In some cases, they are not even turned on.
The takeaway is straightforward. Tools are not the limiting factor. Operational discipline is.
Manufacturing exposes the long-term reality of security
Manufacturing environments highlight a structural challenge that exists across many industries. Systems are built to last decades, while security expectations evolve every few years.
A piece of machinery may run for 25 years. The software and security layers around it will change multiple times during that period.
This mismatch forces organizations to think differently about risk. You cannot simply replace infrastructure. You have to design security that can adapt over time without breaking what already works.
For operators managing long-lived infrastructure, this is not unique to manufacturing. It applies directly to digital signage deployments, IoT devices, and any system that is expected to run unattended for years.
Compliance creates movement, but not necessarily security
Many organizations only take security seriously when forced to. That pressure increasingly comes from compliance and supply chain requirements.
Large companies are pushing expectations downstream. A single contract can depend on proving a basic level of security posture. For some businesses, that is the first time security becomes a board-level concern.
At the same time, compliance frameworks do not guarantee real protection. They provide a snapshot of what should be happening, not what is actually happening day to day.
The gap shows up when something breaks. Passing an audit does not mean you can respond to an incident.
The hardest problems are human, not technical
Technical fixes are usually the easy part. The difficult work is changing behavior.
Examples in the conversation range from outdated systems that no one wants to replace to insecure workflows that persist because they are convenient. Decisions are often driven by habit or internal politics rather than risk.
This is where most security efforts stall. The issue is not identifying what needs to change. It is getting people to accept that change.
For SMBs, this is amplified by limited resources. The same individuals are responsible for operations, IT, and often security. Priorities compete, and security rarely wins without clear impact.
Security only works when translated into business risk
One of the most practical insights in the episode is how to communicate security to decision-makers. Technical language does not resonate with executives. Risk does.
Instead of describing tools or frameworks, the conversation shifts to impact. What does downtime cost? How likely is it? What is the expected loss over time?
When framed this way, decisions become clearer. Spending on security is no longer abstract. It becomes a trade-off between cost and risk reduction.
For operators, this is often the missing link. Without translating technical issues into business terms, it is difficult to justify investment or drive change.
Shadow IT and shadow AI are symptoms, not causes
Shadow IT did not emerge because users wanted to break policy. It emerged because existing tools and processes slowed them down.
That same pattern is repeating with AI. Employees adopt tools that help them work faster, regardless of official policy. Simply telling people not to use them does not work.
The underlying issue is alignment. If the approved tools do not meet user needs, work will move outside the system.
For infrastructure teams, this means visibility matters more than restriction. You need to understand how tools are being used before you can manage the risk.
Vendor incentives often work against the buyer
Many SMBs rely on managed service providers to guide their security decisions. Those relationships are not always aligned with the business.
Vendors and providers often recommend tools based on partnerships or margins rather than fit. The buyer, lacking context, accepts those recommendations.
This leads to over-engineered solutions, unnecessary costs, and systems that are difficult to operate. The pattern shows up repeatedly. Organizations pay for capabilities they do not use, while critical gaps remain unaddressed.
What we are taking forward
The central insight from this episode is that cybersecurity for SMBs is not primarily a technical problem. It is an operational one.
The tools exist. The frameworks exist. What is missing is the layer that connects them to how the business actually runs. That includes understanding where data lives, how systems are used, and how decisions are made.
For teams managing digital signage and distributed infrastructure, the implications are clear. Every device on the network is part of the security boundary. Treating them as separate or secondary systems introduces risk that is easy to overlook.
The shift required is from accumulation to focus. Fewer tools, better understood. Clear ownership of outcomes. And a consistent translation of technical risk into business impact. The full episode is available now.
Deploy secure, enterprise-ready digital signage
Experience the platform firsthand. Start your 14-day free trial of Screenly today.
