Midsize enterprise, CIOs responsible for security are up against the same complex threat landscape as their counterparts in larger organisations, but they are challenged to manage risk with fewer staff, limited security tools and smaller budgets. According to Gartner research, only 5% of an MSE’s IT spend was allocated to security in 2021.
Many of the security risks facing MSEs mirror those facing larger organisations. For example, attack surfaces are expanding due to increased use of cloud applications, open-source code, internet of things IoT and cyber-physical systems. This is creating a more complex organisational perimeter for MSE CIOs to secure.
MSE CIOs cite security as the top technology skill gap in their organisations
Ransomware continues to be a top concern among MSE CIOs. It seems that on a weekly basis, we see reports of organisations having to halt operations due to ransomware. These organisations may not have robust incident response IR plans in place or IR services on retainer. Without rapid response, containment and remediation, ransomware can have a devastating impact on an MSE.
MSE CIOs cite security as the top technology skill gap in their organisations. In fact, most MSEs do not have dedicated cybersecurity personnel on their team. Gartner research shows that we do not see a dedicated security resource until there are at least 21 people in the IT group.
MSE security organisations are usually made up of IT generalists who take on security roles in addition to their other work. Even in cases where MSEs do have headcount for security, given the ongoing talent crisis, it can be extremely challenging to recruit and retain qualified staff.
Most MSEs do not have dedicated cybersecurity personnel on their team
To run a security operation centre 24x7x365, you must have a minimum of eight to 12 security analysts. This is not achievable for most MSEs. So, to be successful, MSEs need to adopt a security-talent-centric approach and implement role-based security, augmented by the use of third party partners.
Leveraging a managed security service provider MSSP, managed detection and response MDR, or an endpoint detection and response provider EDR can allow you to outsource resource-intensive monitoring. In most MSE environments, it is possible to contract a managed service provider for less than the cost of one senior, full-time equivalent.
Given this landscape, how can MSE CIOs be most effective?
You must be highly effective in your role to protect against expanding threats with limited resources. As MSEs’ digital ambitions grow, CIOs will find the size and scope of their roles increasing as well. Gone are the days of only protecting servers and assessing IT risks.
Today’s MSE CIOs are responsible for not only thwarting unrelenting threats, but also addressing compliance within fast-changing regulatory landscapes, providing assurance about growing customer security concerns and more.
Gartner research shows that we do not see a dedicated security resource until there are at least 21 people in IT
Gartner research has found that the most effective CIOs are skilled executive influencers, future risk managers and workforce architects. They actively develop their teams by focusing on diverse competencies and addressing talent gaps with non-security resources.
To improve your effectiveness, build strong relationships with senior leadership across the enterprise, particularly those outside of IT. Proactively identify and manage future risks to your organisation by informing decision makers about new security norms and technologies, and monitor the workforce and address skills gaps with creative talent management practices.
Finally, stress management and personal development play an important role. The most effective CIOs diligently manage their time by keeping firm work-life boundaries and making time for personal development.