Six Steps to Start a Cybersecurity Program for Middle-Market
Did you know that 88% of cyber insurance claims are from companies under $2B in revenue?
Cybersecurity for Middle-Market Enterprises
The US Chamber of Commerce is telling middle-market organizations ($500M-$1B in revenue) that they are becoming the prime target of cyber criminals, stating “Larger middle-market organizations continue to be the most at risk, with high volumes of valuable data to attract cybercriminals, but lacking the robust security resources of their large-cap peers.”
Last year, the chamber reported that over 50 percent of middle market executives predicted that unauthorized users would attempt to access their organization’s data or systems.
Cybersecurity Tactics Mid-Sized Organizations Are Using Today
If a small- or mid-sized organization has made any inroads into cybersecurity, they tend to focus on basic areas like employee education and protection in the form of firewall and endpoint security.
These organizations may have a CIO but, typically, don’t have a CISO or security leader. In these cases, the CIO and IT department are responsible for security but, naturally, without adequate cybersecurity experience.
Executives know that their cyber risk is rising and are very concerned about what they can’t see or detect. But, their cybersecurity governance, policies, and practices don’t match the level of risk that they’re facing or their cybersecurity maturity level.
They may have conducted some level of risk assessment, but it was done internally using a free tool from the web. And, they don’t have a proactive plan that outlines the unique nature of their organizations with prioritized risks and mitigation actions.
Creating a Robust and Affordable Cybersecurity Program for Mid-Sized Organizations
In today’s tight cybersecurity talent market, it will be too expensive to hire a person capable of launching and managing a complete cybersecurity program; if you can find them.
CyLumena created a virtual CISO (vCISO) service to fit the needs of the middle-market enterprise:
- Leveraging a vCISO means that you can build a cybersecurity strategy affordably with someone seasoned and plugged into medium-sized organizations across industries. They can help you socialize the cybersecurity plan and build buy-in.
- A virtual CISO can execute the initial phases of your program and provide strategic guidance, which ramps up your security protection faster while building cyber–resiliency internally.
- The vCISO can carry out a cybersecurity assessment that matches your size and industry. One size assessment doesn’t fit every organization, especially mid-sized enterprises. Your vCISO can ensure that your assessment covers any compliance requirements, but targeted areas critical to keeping the business afloat if and when a breach or ransomware situation occurs. And, making recommendations for remediating gaps in security that leave you vulnerable.
- A viable alternative to building your own internal security operations (which is probably not your core competency), and one that more small to medium-sized businesses (SMB) are implementing, is to outsource security operations to an expert provider. Additionally, outside support gives you access to advanced cyber tools that you don’t want to invest in just yet, but need now.
Time’s a Changin’ – CEO Cybersecurity as Priority
2016: 45% of CEO’s say cybersecurity is “not their responsibility”
2017: Cybersecurity revealed as a top–5 business priority
2019: CEOs view cybersecurity is #1 external issue
Transitioning from vCISO to Internal Cybersecurity
If you decide building internal security resources is that right path to take, we have found that organizations who ramp up their cybersecurity program using virtual CISO services can more easily transition into self-management. Once the strategy and basic building blocks are in place, you’re ready to build your team.
Now that you’ve leveraged a vCISO to do the heavy lifting, you can more cost-effectively begin to build out your security team. Our advice is to hire a mid-level cyber engineer with four-to-six years’ experience. This role doesn’t need a manager just yet, but find someone with the potential to grow into a leadership role. Their focus is on execution and ensuring that the measures put in place by the vCISO are working seamlessly and delivering the level of protection desired.
When choosing this candidate, who may be your first cybersecurity hire, lean heavily on a finding a fit with your company culture and your cybersecurity philosophy. In this role, fit is as important as cybersecurity skills and experience. For an organization of your size, opt for self-motivated individuals who have enough breadth and depth to function as a cybersecurity generalist. Then, you can augment and support your new leader with professional advisory services where and when needed.
Mid-Sized Organizations Can Afford Robust Cybersecurity Protection
While research says that 95 percent of breaches could have been prevented, it makes sense when we look at the volume of threats targeting mid-sized organizations. Yet, it is very realistic for executives to create an affordable, robust cybersecurity program. With the right support, focus, and efficient use of technology and resources, it’s possible to have the same level of protection as the “big guys.”