Part 1: How the Middle Market Can Think Differently About Cybersecurity
It seems like everyone in the cybersecurity industry agrees that our current approach to securing organizations has its challenges, including outcomes that tend to miss the mark. One can look at the continued upward trend of data breaches over the last several years and question whether the prevailing approaches are working. Let’s look at the situation from the filter of a middle market business. (For reference, a middle market business is defined as having gross annual revenues between $20 million and $10 billion.) Middle market businesses account for a full one-third of strength of the U.S. economy. Middle market businesses have unique challenges when it comes to technology and cybersecurity. Generally, if the business started within the last 5-7 years, it is technology heavy, specifically in cloud adoption (also known as cloud native). Older middle market companies tend to also be heavy in technology, but have a hybrid approach with some technology workloads on premises and some in the cloud. A common thread between both profiles is the challenges around cybersecurity practices.
In my years of consulting, and more recently in speaking with potential customers in the middle market, there is significant evidence that cybersecurity programs have not kept pace with the technology adoption mentioned above. This is not a guilt trip, it is just a reality. Businesses have to be responsive to market forces. Fast and effective adoption of technology can give an organization an edge over their competitors. It can also mean the survival of the company. The security of that solution tends to be de-prioritized as the effectiveness of the technology solution is realized. The de-prioritization is not intentional and allows the technology to move forward on time and under budget.
As a business leader in the middle market, you may have noticed a recent trend developing. From a cybersecurity perspective, it is a good trend. It can be a bit of a paper exercise and it can be a creative exercise if your organization is challenged by your cybersecurity posture. I am speaking of 3rd Party Risk Management. Have you been receiving cybersecurity questionnaires from your customers, vendors, or regulatory organizations? Have you and your staff spent hours upon hours filling out these forms? Tell the truth, have you been providing answers that are accurate only in the most lenient sense? Third party risk management activity has increased significantly over the last few years due to high profile data breaches like Target and Home Depot. These breaches involve vendors or suppliers as the means by which the bad actors were able to carry out the attack. What is the purpose of these questionnaires? What happens if you are found not to be practicing the cybersecurity principles as you describe in the questionnaires. These organizations are actively transferring risk from theirs, to yours. With the current slate of options in the cybersecurity market, this leaves the middle market business leaders with their back against the wall.
Join me in Part 2 of this post where I cover a new way of approaching cybersecurity for the middle market.
-David Malicoat Founder, BAMCIS Cyber