Within this paper we provide insight into how the activities associated with security verification and validation (V&V) are practiced, supported, and perceived, within software SMEs. We justify the importance of studying security V&V as a socio-technical activity and employ the Socio-Technical Interaction Network (STIN) framework when presenting the results of an industry-based empirical study. In summary, the results indicate that software SMEs are significantly less confident in their engagement with security-focused V&V activities as opposed to traditional software V&V. This includes their ability to perform and own the activities, as well as how they are supported and managed within the organisations studied. This suggests that security-focused V&V activities have not reached the same degree of maturity as the more traditional software V&V activities within software SMEs.