Editor's note: The following is a guest article from Paul Furtado, vice president analyst at Gartner.
Midsize enterprise (MSE) IT leaders are responsible for securing their enterprises against the same complex threat landscape as CISOs in larger organizations, but they are challenged to do so with fewer staff, limited security tools and smaller budgets.
According to Gartner research, only 5% of an MSE’s IT spend was allocated to security in 2021. Furthermore, more than half of MSEs do not have a CISO, meaning cybersecurity falls under the CEO, CIO or another line of business leader, who must divide their time and attention among a wide range of IT and business responsibilities.
Despite fewer resources, MSE organizations can still effectively protect against ransomware, supply chain risks and other threats. Here are the key steps that MSE IT leaders can take to strengthen their security against today’s complex threat landscape.
Take a role-based approach to security staffing
MSE CIOs cite security as the top technology skill gap in their organizations. In fact, most MSEs lack dedicated cybersecurity personnel on the IT team; Gartner research shows that a dedicated security resource does not emerge until there are at least 21 people in the IT group. Developing a workforce strategy around security is paramount to a successful MSE security program.
As MSE IT leaders don’t have the time or money to compete for security talent, they must focus on distributing security roles and functions to their existing team members. Identify internal people with select competencies in five critical security categories:
- Governance, risk and program management – includes policy and strategy development, education and training and business continuity management.
- Infrastructure and data protection – includes platform, application and data security, as well as vulnerability management.
- Identity and access management – includes account governance and administration, access management and analytics.
- Administration – includes patch management, system administration and user provisioning.
- Security Operations – includes monitoring and detection, incident response, threat hunting, vulnerability assessments and penetration testing.
With small teams, it is not uncommon to have one individual responsible for several of these security roles. Offer training opportunities for staff in these areas, which will not only help improve security processes and practices in the organization but can also support IT talent retention.
Contract an MSSP to augment security operations
Around-the-clock monitoring is critical to quickly respond to and contain security incidents, but to run a daily security operations center 24x7, you must have a minimum of 8 to 12 security analysts. This is not achievable for most MSE organizations.
Leveraging a managed security service provider (MSSP), managed detection and response (MDR) services, or an endpoint detection and response provider (EDR) can complement a role-based approach to security by providing support for resource-intensive monitoring. In most MSE environments, it is possible to contract a managed service provider for less than the cost of one senior, full-time equivalent employee.
Identifying a vendor or mix of vendors ideally suited to MSE requirements can be difficult. Although the MSSP market is maturing, there is no “one size fits all” vendor to address all cybersecurity threats. When contracting an MSSP, ensure that the provider:
- Furnishes managed security services specifically for the end user or client; services should be subject to contract negotiation, rather than a click-through agreement.
- Is subject to predefined deliverables and service-level agreement requirements.
- Augments internal operations teams, which requires some access to the corporate network.
- Relies on a technology stack deployed at its own premises or in the cloud, even if they also utilize a dedicated technology stack on the organization’s premises.
- Engages in some degree of human interaction with the customer
Increase effectiveness by building executive relationships
Within any size organization, managing security is a complex task. An MSE CIO’s security responsibilities not only encompass thwarting unrelenting threats, but also addressing compliance within a fast-changing regulatory landscape, providing assurance for growing customer security concerns and more.
Therefore, MSE CIOs must be highly effective to manage this full plate of security responsibilities. They can do so by following the lead of highly effective CISOs at larger organizations.
Gartner research has found that the most effective CISOs are skilled executive influencers, future risk managers and workforce architects. They actively develop their teams by focusing on diverse competencies and addressing talent gaps with non-security resources. These CISOs aren’t bogged down by security alerts and decision fatigue, but are instead focused on what is controllable: their own behaviors and mindsets.
Most importantly, these CISOs build strong relationships with senior leadership across the enterprise, particularly those outside of IT such as the CEO and Board of Directors. By maintaining these relationships, these CISOs are at the forefront of conversations with decision-makers about security and risk, enabling them to proactively identify and manage future threats to the organization.
MSE CIOs and IT leaders face a challenging role and complex set of responsibilities, including security and risk management. By understanding the critical components of a strong cybersecurity program, MSE IT leaders can develop a roadmap for using the resources at their disposal to enhance their security posture and protect against cyberthreats.