Mike Rothman of Dark Reading wrote an interesting piece, which Bruce Schneier echoed last week, arguing that security vendors are focused on the top 1,000 enterprises, leaving the meager mid-sized businesses that live beneath the Security Poverty Line to fend for themselves. Rothman:
“These folks have a couple hundred to a couple thousand employees. That’s big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything.”
I feel this argument is a tad overstated. Think about what the No-Man’s Land theory says about the business models of security vendors—that they’re collectively and deliberately ignoring an entire forest full of deer and rabbits with hopes of nabbing a few elephants? Sounds like a surefire way to starve to death. (My apologies, vegetarians.)
Rothman really nails it on the head here, though:
“What folks in security no-man’s land need most of all is a security program. They need an adviser to guide them through the program. They need someone to help them prioritize what they need to do right now. ”
YES! This is the secret sauce. But what makes this exclusive to large enterprises? Despite not having bespoke security, it’s hard to excuse mid-market companies that don’t go after the low-hanging fruit (sorry, carnivores).
“They don’t want or need someone to do everything for them. And they certainly don’t need a shiny object to stop the attack du jour. “
The “blocking and tackling” Rothman calls for something every organization can start doing—large or small. For unstructured data, Varonis has an entire blog series detailing precisely how companies can implement a security action plan, and Varonis will custom-tailor every step around the resources available.
By focusing on the fundamentals, we’ve seen some mid-market businesses with a few ultra-bright security and operations folks implement more comprehensive and successful IT security programs than Fortune 100s with ostensibly limitless budget and staff.