Cybersecurity in the mid-market: Playing catch-up in a cold budgetary climate

In a previous article, I said how important it was for mid-market organizations to spend on security – “The more you spend, the harder you’re going to be able to penetrate, even if the target is ultimately larger.” For ransomware gangs for example, ROI is key – they’re asking, how do I get the most return for the least investment? They found that certain segments, like manufacturing, have a higher return than average, so they target those, and the mid-market has a much higher return than most, so they target that as well. 

If you haven’t been investing in security for the past 5 years however, you’re going to be coming from a place where you’re behind, and there’s no way to play catch up that doesn’t involve spending money. You may end up having to make a 1 year spend increase to play catch up in a way that’s going to really show value and bring you into parity. So, how to approach this, given that budgets are getting tighter?

Start with self-assessment and existing tooling

My recommendation would be to start with the NIST self-assessment for maturity and security, and really see where you place. I would aim (as a good target) to be in the 2.5 to 2.9 range. 3 would obviously be good, but if you’re below that 2.5 to 2.9, you are going to have a tremendous amount of catch-up. 

The good news is, you have some low hanging fruit to go after. 3 is a significant maturity of space: as we get into the 3’s, we’re more focused on auditability and repeatability. If you’re in the high 1.5 to 1.9, I’d be looking for some repeatable services that you can take advantage of, to push your maturity forward and really get a set of eyes on the space, to make sure that you don’t have any big holes already sitting in your environment, which is another dangerous issue. 

One of the things that attackers do—think of them as freelancers—is, they’ll penetrate an organization, but make no changes. They’ll simply see how far they can go in and document it, then they put the exploit up for sale. Think about it like a business exchange that says, hey, I penetrated this far into this organization, here’s a profile of the organization, and then they sell it to you on the street corner. So, if you’re in the low to mid-high 1s, I would really start looking at: is this something that has happened? Is there something I should be aware of, like a historical breach that went nowhere? 

Then, you’re probably going to need to spend some money on securing your edge, your firewalls. This part of the architecture tends to be a little old. Are all your firewalls currently under maintenance? And maybe they don’t have all the features that you need, turned on and working. 

Then I’d also probably be looking into Zero Trust Network Access, to close out some of the security issues there. I’ve seen a lot of VPN penetration in recent times. Especially those that don’t have a thorough use of multi-factor authentication (MFA), or where their MFA is easily defeated. That’s part one of the security conversation. 

Next, look at people – inside and outside the organization

Where I want to focus next is, it’s incredibly hard to train and retain people. I say it in that order, because if I train them, I’ve made them more valuable in the market, and security is being poached like crazy. So, I want to think about where am I doing that, and how am I doing that with people? I tend to advise, and approach it as a CXO, as follows: if no tribal knowledge is required for the role or for the function, I want to outsource the function.

I want to outsource the function not because I want to reduce my headcount. I’m generally short of people, so that’s not likely. But if I can use a managed service, maybe I will have four people that I can offload some work from. Those four people are hard for me to retain, and if I lose one, I’ve lost 25% of my capability in that space. A managed shop will have four hundred people: if they lose ten people, it’s not going to disrupt their ability to deliver the service to me. 

Consider this versus those things that do require tribal knowledge, like understanding how my business operates, what my business does, and how operations work inside my company. That’s really where I want to focus my people. Where you want to start, where you want to retain people, and really focus them, you can consider as the G of GRC (Governance, Risk and Compliance). I would be investing in that, probably 40% investment (out of my budget). There’s only so much training I can give to my people, only so many people I can hire. So, any person I hire is not a one-time investment, but a rather enduring investment. 

I want to make sure that I own the architecture, and the design, and the people that interface with legal, and people that interface with operations, and the people that have developed a softer touch and are embedded inside my organization. I don’t necessarily want to own the people that monitor my SIEM or monitor my firewalls and my firewall activity. I want to outsource those things to providers that are really good at it. 

Managed security providers can see traffic on an incredibly large scale and can notice traffic patterns that we’re not able to see because our data set is too small. Small data sets in security hurt you. They don’t help you. I want to leverage massive data sets. And so all of that says, what I’m looking to do is build an ecosystem of talent, and that’s both talent inside my organization, and talent outside my organization. 

If I’m looking at spending 25 – 40% of my budget on managed security services, they tend to come along with software licenses: if I outsource SIEM, I’m probably not going to maintain my own SIEM. So, if I’m currently paying for Splunk say, I want to look at my outsourced service and say, what are you using for a SIEM? How is it licensed? Does it make sense to leverage my Splunk, and if not, how do I mitigate the enduring cost of a contract for a piece of equipment I’m not going to use. If I’m in a 3 or 5-year contract. I want to look for a SIEM that will leverage the tools that I have currently, without increasing my contract costs, knowing that I’m going to seek to not renew moving forward. 

So that’s 40% investment in people, 25-40% in services. That leaves 20-35% in new tooling, depending on its current age. For example, Zero Trust Network Access is going to be a new spend, as are new firewalls. ‘Protecting the edge’ is likely to be a particular spend point, upgrading from an old endpoint protection software to something more modern and centrally controlled, potentially managed.

Bring it together – with timing based on contract renewals

Costs are not necessarily increasing but budgets are shrinking. What we’re seeing globally is that budgets are going up about 4%, which is actually a shrinkage in budget considering we’re seeing inflation increase by about 8.5%. Plus, we’re seeing employee costs increase by 15%. So, even with a 4% budget improvement, you’re actually sitting much closer to about a 12% loss overall. Meanwhile, a lot of the large manufacturers are still dealing with long supply chain issues, in some cases greater than 12 months. 

It’s challenging because the job’s not getting easier: security requirements are becoming more complex, and the number of things we’re being asked to do is not getting any less. So I’d really be looking at, where are tangible places I can take my green field, my new security additions and new capabilities to manage the organization? Do I have a good strategy around how I’m going to leverage those and measure an ROI? If not, I’d consider delaying them. 

If a clock expires and it’s time to do a renewal, but I’m not really going to get to see the replacement for a year, it’s the moment to think, is now the right time to execute on that renewal? Do I really need to make planning headspace, and operational headspace, for things that I’m not likely to see for 12 months? Then, are there some things that I could pull from next year’s budget? Are there some things I can pull from 2024’s budget into 2023, if I’m not able to execute on other things? 

When it comes to contracts; if I’ve got tools and services expiring in October, I should be negotiating for those in January. If I negotiate in January, first, the ability to renew early provides some relief for the vendor that I’m buying from; and second, if I’m not going to be able to negotiate terms that I find to be advantageous for myself, it gives me nine months to come up with an alternative plan.

That’s the conversation I’d be having now, so I know where I’m going to get better terms, and lock those things in. I don’t need to review those decisions today. Where I’m not getting better terms, those are where I want to focus. And meanwhile, here are some green field projects: we’ve got good potential ROI and really want to return the value to the business, but I’m not really comfortable I can answer these questions with confidence. These things I want to delay, and push off their cost right now, until we can.

Budget management’s going to become a bigger thing in 2023, and my expectation is 2024 won’t get any easier. Like in 2021, and 2020, we said, “2018 sure seems like a bit of a party compared to today!” But considering your existing portfolio, managing the people who bring the most value for their tribal knowledge, and focusing on contracts that need the most attention in the next 12 months, offers a way forward.