What is "enough" cybersecurity for mid-market?

What is enough cybersecurity?

To start, this article is written towards the mid-market. While mid-market companies have nearly the exact same likelihood of an incident as a large company, large companies have budget for headcount and products that are not matched by mid-market companies. Growth companies must think and execute smarter to gain the same results for this reason.  That said, savvy teams can elegantly architect security programs that are highly effective. These investments can scale as the company grows and, ultimately, become enterprise-grade.

Cybersecurity investments typically encompass:

1. Headcount: someone must manage tooling, write policies and procedures, configure systems, educate teammates, talk to customers and more. It is not possible in today's age to automate cybersecurity.
2. Tools: cybersecurity is data intensive. Most companies invest in tools like vulnerability scanning, threat detection, user directory and device and inventory management. These tools can be open source, home grown or commercial.
3. MFA: Multi-factor authentication does a lot, but it doesn't do enough. While MFA is a core strategy for smaller companies, it will not take the place of other critical strategies.
4. Collaboration and project management: cybersecurity is collaborative. One or many tools to store documents, track projects and delegate tasks will be important.
5. Consulting: most companies budget for strategic audits, penetration tests and certifications depending on their industry.

What should we buy?

Before suggesting what to buy, it is important to not buy without a strategy. Tools do not solve cybersecurity problems, people do. As you accumulate tools, you will accumulate the need for manpower since cyber tools to do not run themselves. It is important to build the business strategy of cyber before purchasing technical solutions to it.

Tool vendors will, of course, lead your strategy with their tool.  That is the purpose of their marketing, they are just doing their job. It is important to avoid doing that and start with a strategy that leads with your business goals first.

How do we choose what to buy?

Many of our customers come to us to build a cybersecurity strategy. One thing that they want to do with their strategy is figure out what they need to buy.

The first thing that we do when thinking about cybersecurity strategy is we start with a full analysis of pre-existing legal contracts. Within your legal contracts are projects, SLAs, requirements, standards and other things you have agreed to do. If you have legally committed to doing cybersecurity, you should complete your requirements immediately.

Legal contracts serve a lot of purposes, one being the assignment of liability and risk.  In a global stage as hostile as is today, there is a high likelihood that most companies will have an incident of some kind. Your legal contracts may spell out important details like reporting requirements to your customers. They may also assign a specific level of hygiene and maturity that you must meet.

We see cybersecurity as a customer deliverable, especially when it is specified in a legal contract.

If you are legally contracted to provide specific SLAs of cybersecurity, meet them.

When choosing what to buy, it is important to look at simple tools that can measure and uphold core projects. It is helpful to talk to someone who has used the tools before if you have not used them yourself. You want to make sure that there is not a hidden human capital cost to the tools that you select that you are not prepared for.  You also want to make sure that the tool delivers enough value for the cost of the tool. We recommend consolidating tools as much as possible.  To us, this means, one tool that is well made should replace several.

Many types of cyber tools can be delivered in an open source format.  This is an area of value a CISO, virtual or full-time, can add. Open source tools can often replace expensive commerical products.

Threat is the area that we see as the most technical, more than API or Cloud attack surface management.

There are many schools of thought on threat management. It is good to speak with someone who knows a lot about threat to help you to decide how you will go about it.  Some approaches require few people. Others, entire department of people to manage.

What is not enough?

When shopping in cybersecurity, whether for tools or ideas, it is important to remember that cybersecurity is a hot area for funding ideas. New ideas spin up every day and venture capital comes easy. This is important because an uneducated buyer can waste their money or, worse, buy things that lead them in the wrong direction from actually protecting their assets.

Cybersecurity is not an area to invest in trends, but to have a strong approach and match tools to jobs to be done.

Vendors that suggest that cybersecurity can be easily simplified, almost to the point of it seeming that a completely non-technical person can do it, are dangerous.

Cybersecurity is fighting off technical criminals who seek to destroy the destiny of your business.  It is not a place to wish for simplicity or gamble on ideas that sound too good to be true.

• Simply rolling out MFA is not a enough.
• The idea a SOC2 will stop a cyber criminal is dangerous.
• Waiting too long to get cyber insurance can be a mistake.
• Ignoring risk and threat to focus only on the easy and relatable parts of cybersecurity is a bad idea.
• Building from checkboxes, templates and only-frameworks will be too general to fit your needs.

‍

Good cybersecurity costs money, whether in tooling, human capital or both. Enterprise companies and SMBs are equally targeted and equally destroyed by criminals. This creates a challenge for the mid-market, who is tasked to do more with less.

The best thing to arm a mid-market company is self-knowledge, strategy and lean decision making.

Tools will not push off cyber crime, tools must be managed by people.

Invested, aware and thoughtful executives collaborating with experience cybersecurity experts is the way to go.