Six Steps to Start a Cybersecurity Program for Middle-Market

Did you know that 88% of cyber insurance claims are from companies under $2B in revenue?  

Cybersecurity for Middle-Market Enterprises

The US Chamber of Commerce is telling middle-market organizations ($500M-$1B in revenue) that they are becoming the prime target of cyber criminals, stating “Larger middle-market organizations continue to be the most at risk, with high volumes of valuable data to attract cybercriminals, but lacking the robust security resources of their large-cap peers.” 

Last year, the chamber reported that over 50 percent of middle market executives predicted that unauthorized users would attempt to access their organization’s data or systems. 

Cybersecurity Tactics Mid-Sized Organizations Are Using Today

If a small- or mid-sized organization has made any inroads into cybersecurity, they tend to focus on basic areas like employee education and protection in the form of firewall and endpoint security. 

These organizations may have a CIO but, typically, don’t have a CISO or security leader. In these cases, the CIO and IT department are responsible for security but, naturally, without adequate cybersecurity experience.   

Executives know that their cyber risk is rising and are very concerned about what they can’t see or detect. But, their cybersecurity governance, policies, and practices don’t match the level of risk that they’re facing or their cybersecurity maturity level 

They may have conducted some level of risk assessment, but it was done internally using a free tool from the web. And, they don’t have a proactive plan that outlines the unique nature of their organizations with prioritized risks and mitigation actions. 

Creating a Robust and Affordable Cybersecurity Program for Mid-Sized Organizations  

In today’s tight cybersecurity talent market, it will be too expensive to hire a person capable of launching and managing a complete cybersecurity program; if you can find them. 

CyLumena created a virtual CISO (vCISO) service to fit the needs of the middle-marketenterprise: 

  • Leveraging a vCISO means that you can build a cybersecurity strategy affordably with someone seasoned and plugged into medium-sized organizations across industries. They can help you socialize the cybersecurity plan and build buy-in
  • A virtual CISO can execute the initial phases of your program and provide strategic guidance, which ramps up your security protection faster while building cyberresiliency internally. 
  • The vCISO can carry out a cybersecurity assessment that matches your size and industry. One size assessment doesn’t fit every organization, especially mid-sized enterprises. Your vCISO can ensure that your assessment covers any compliance requirements, but targeted areas critical to keeping the business afloat if and when a breach or ransomware situation occurs. And, making recommendations for remediating gaps in security that leave you vulnerable. 
  • A viable alternative to building your own internal security operations (which is probably not your core competency), and one that more small to medium-sized businesses (SMB) are implementing, is to outsource security operations to an expert provider. Additionally, outside support gives you access to advanced cyber tools that you don’t want to invest in just yet, but need now. 

Time’s a Changin’ – CEO Cybersecurity as Priority

2016: 45% of CEO’s say cybersecurity is “not their responsibility” 

2017: Cybersecurity revealed as a top5 business priority 

2019: CEOs view cybersecurity is #1 external issue 

Transitioning from vCISO to Internal Cybersecurity
Management  

If you decide building internal security resources is that right path to take, we have found that organizations who ramp up their cybersecurity program using virtual CISO services can more easily transition into self-management. Once the strategy and basic building blocks are in place, you’re ready to build your team. 

Now that you’ve leveraged a vCISO to do the heavy lifting, you can more cost-effectively begin to build out your security team.  Our advice is to hire a mid-level cyber engineer with four-to-six years experience. This role doesn’t need a manager just yet, but find someone with the potential to grow into a leadership role. Their focus is on execution and ensuring that the measures put in place by the vCISO are working seamlessly and delivering the level of protection desired.   

When choosing this candidate, who may be your first cybersecurity hire, lean heavily on a finding a fit with your company culture and your cybersecurity philosophy. In this role, fit is as important as cybersecurity skills and experience. For an organization of your size, opt for self-motivated individuals who have enough breadth and depth to function as a cybersecurity generalist. Then, you can augment and support your new leader with professional advisory services where and when needed.

Mid-Sized Organizations Can Afford Robust Cybersecurity Protection

While research says that 95 percent of breaches could have been prevented, it makes sense when we look at the volume of threats targeting mid-sized organizations. Yet, it is very realistic for executives to create an affordable, robust cybersecurity program. With the right support, focus, and efficient use of technology and resources, it’s possible to have the same level of protection as the “big guys.” 

Cybersecurity Consulting that Meets Unique Needs of Mid-Sized Organizations

Want to discuss the unique cybersecurity needs of mid-sized organizations and your specific goals?
Contact Us

Chris Dinnin

Chris Dinnin, Managing Director

Chris Dinnin has over 30 years of global IT consulting experience. In his role as Managing Director, Chris oversees all aspects of CyLumena’s business, leveraging a broad team of cybersecurity experts with backgrounds ranging from former CISOs, Big Four consultants, and U.S. Armed Services Intelligence experts.

Building upon his successes at organizations like Accenture and SDLC Partners, Chris’ focus is on solving real world client business challenges through realistic and practical solutions.

His work with large and mid-sized client organizations across four continents has honed Chris’ ability to strategize the right, custom solution and ensure he and his team deliver long-term business value.

Chris graduated from Carnegie Mellon University’s Tepper School of Business with dual degrees in industrial management and information systems.