Midmarket companies are big enough to make juicy targets for attackers, yet they have insufficient IT to handle security in-house. They fall into a dangerous security "no-man's land."
Mike Rothman, president of the security research and advisory firm Securosis, compares midmarket companies' security position to the "no-man's land" between the baseline and service boxes in tennis, where it's easy for your opponent to score against you. He says about midmarket companies:
These folks have a couple hundred to a couple thousand employees. That's big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything. These folks are caught between the baseline and the service box. They default to compliance mandates like PCI-DSS because they don't know any better.
Wendy Nather, an analyst with 451 Research, made the same point in 2011, saying SMBs fall below the "security poverty line":
Organizations below the Security Poverty Line have no in-house security expertise -- in fact, they may not even have any full-time IT staff at all. If they spend money on a security consultant, they may be able to get advice, but security also lies in the day-to-day execution, and without knowledgeable resources at their disposal, they won't be able to execute on whatever the consultant advises.
In organizations below the Security Poverty Line, Enterprise Security Information Management (ESIM) products might sit unused because nobody has time or expertise to tune them or read reports. Antivirus software might be improperly installed. "In an IT-poor organization, maintenance tasks take a back seat to the more pressing matters of outages and new installations," Nather said.
Rothman blames the security industry, which caters to large enterprises and neglects the midmarket. Security vendors focus on the biggest 1,000 companies worldwide. Big-business Chief Information Security Officers (CISOs) find it easy to buy another security server or appliance, and assign a few staff to make it work.
The security no-man's land is starting to get safer. Service providers offer firewall monitoring and spam-filtering as a service, and vendors are beginning to offer products purpose-built for the midmarket. But too many are "dumbed-down enterprise products, which doesn't really solve the midmarket company's problem," Rothman says.
Midmarket companies need security mentors to manage and teach security until the companies are ready to stand on their own, writes Dan Geer, computer security analyst and risk management specialist.
The security no-man's land is an extension of the direction the entire IT industry is moving, writes Bruce Schneier, security blogger, author, and chief security technology officer of BT. Only the largest companies have dedicated IT staffs, with others outsourcing the functions to IT providers, which also manage security. He says:
A company whose email consists entirely of Gmail accounts, whose payroll is entirely outsourced to Paychex, whose customer tracking system is entirely on Salesforce.com, and so on -- and who increasingly accesses those systems using specialized devices like iPads and Android tablets -- simply doesn't have any IT infrastructure to secure anymore.
How about you? How are you getting along in the security no-man's land? Let us know.
College Network Aces Private Clouds
Securing Data in the Cloud Is Everyone's Job
Boeing Learns Supply Chain Only as Strong as Weakest Link
— Mitch Wagner , Editor in Chief, Internet Evolution