Chief information officers (CIOs) and chief information security officers (CISOs) responsible for cybersecurity for midsize enterprises (MSEs) are up against the same complex threat landscape as their counterparts in larger organizations. Yet they are challenged to manage risk with fewer staff, limited security tools and smaller budgets. According to Gartner research, only 5% of an MSE’s IT spending was allocated to security in 2021.
At a time of inflation, the cybersecurity pain points for an MSE are not going away any time soon.
These organizations that rely on SaaS applications, a remote or hybrid workforce and IT compliance requirements will continue to be spread thin.
So, what is an organization with several hundred to several thousand employees to do?
Massive changes in processes and tooling must occur while keeping the business running and secure. How can we best move forward in managing risk with less staff, limited security tools, and smaller budgets?
Think Outside the Box
First and foremost, we must think outside the box. Our preconceived notions and experience can stifle creativity. We need to be open to new ways of reaching our goals. Our highest priority needs to be supporting the operation of the business. For CIOs and CISOs focusing on cybersecurity for their MSE, this means servicing the customer base by providing the tools needed to succeed.
Supporting the business starts with IT – providing the devices, software, and services they need with the security controls to adequately protect corporate, customer and employee data.
Yes, we need to adopt new policies, processes and tools. You begin by looking at the problems you want to solve. How do we get devices into the hands of my teams? How do we make the onboarding experience as painless as possible? How do we standardize and secure our endpoints? How do we manage inventory? We need to review the entire device lifecycle from onboarding through termination thoroughly.
Next, examine security solutions with an open mind. Stay focused on cost-effectiveness and ‘bang for the buck’ with the best cross-platform integrations. You want to avoid managing 15 different security tools when one or two would check enough of the boxes. Think automation. Take people out of the process wherever possible. Once you have a focused list of security tools, discuss them with your team, use a proof of concept (POC), and test your theories. Determine how much time savings the new automation yields for your team and users. Saving your team two hours per onboarding and the end user another two hours helps justify spending. Also, consider future time savings – updating software, patching operating systems, etc. Your business can always bring in more revenue, but you cannot create more time.
Then, standardize and implement best practice technical and administrative security controls. Many automation platforms allow devices to be configured more securely than the default. Policies can be uniformly tested and enforced with metrics tracked so your team can report progress and better manage risk. The software can be automatically deployed. Inventory can be tracked. Vulnerabilities can be assessed. Security tools can be implemented. And devices can be secured.
Building out these hassle-free, mostly automated onboarding and management services frees up IT and security time to focus on the more difficult challenges around managing non-standard software installs and other SaaS applications.
Last but not least, think about scalability. Even though your business may only have a few hundred users, build your processes as though your business had thousands. One of the worst mistakes CIOs, CTOs and CISOs make involves ignoring scalability, thus increasing the business’ technical debt. Technical debt happens when outdated processes and software create inefficiency and security risks. The proverbial can is simply kicked down the road, increasing the cost and effort required to mitigate the issues. The longer the problems are ignored, the more costly it becomes to remedy them, and the more frustrated your teams will become.
Overcoming Challenges and Moving Forward
IT and Security teams have proven time and time again that they are resilient. Overcoming challenges in cybersecurity for midsize enterprises requires constant situational awareness, planning for the unexpected, a keen eye for improving efficiency and a commitment to automating everything possible.
While security mandates often come from the CIO and CISO, every employee must protect corporate, customer, and employee data. Removing menial tasks and interruptions from users can free up IT and security time to focus on more complex projects and involve the entire organization in securing the enterprise.
By thinking outside the box, thinking automation and thinking scalability, MSEs can move forward in managing risk with less staff, limited security tools and smaller budgets.