What’s Keeping Midsize Enterprise CIOs Up at Night

Midsize enterprise (MSE) chief information officers (CIOs) responsible for security are up against the same complex threat landscape as their counterparts in larger organizations, but they are challenged to manage risk with fewer staff, limited security tools and smaller budgets. According to Gartner research, only 5% of an MSE’s IT spend was allocated to security in 2021.

We spoke with Paul Furtado, Vice President Analyst at Gartner, to discuss the unique security challenges facing MSE CIOs and how you can more effectively protect your organization. 

Download now: Measure, Prioritize and Improve the Performance of Your Organization’s Security

What are the most pressing security concerns facing MSE CIOs today?

Many of the security risks facing MSEs mirror those facing larger organizations. For example, attack surfaces are expanding due to increased use of cloud applications, open-source code, internet of things (IoT) and cyber-physical systems. This is creating a more complex organizational perimeter for MSE CIOs to secure. 

Digital supply chain risk is another key concern. As we saw with the Log4j vulnerability, attacks can spread through the software supply chain rapidly, and it takes significant IT resources to identify and mitigate those threats — resources and skill sets that MSEs don’t always have at their disposal. 

Ransomware continues to be a top concern among MSE CIOs. It seems that on a weekly basis, we see reports of organizations having to halt operations due to ransomware. These organizations may not have robust incident response (IR) plans in place or IR services on retainer. Without rapid response, containment and remediation, ransomware can have a devastating impact on a MSE.

Read more: Your Ultimate Guide to Cybersecurity

And what’s the impact of the security talent shortage here?

MSE CIOs cite security as the top technology skill gap in their organizations. In fact, most MSEs do not have dedicated cybersecurity personnel on their team. Gartner research shows that we don’t see a dedicated security resource until there are at least 21 people in the IT group. 

Rather, MSE security organizations are usually made up of IT generalists who take on security roles in addition to their other work. Even in cases where MSEs do have headcount for security, given the ongoing talent crisis, it can be extremely challenging to recruit and retain qualified staff.

Read more: 10 Must-Read Articles on Cybersecurity

To run a security operations center 24x7x365, you must have a minimum of eight to 12 security analysts. This is not achievable for most MSEs. So, to be successful, MSEs need to adopt a security-talent-centric approach and implement role-based security, augmented by the use of third party partners. Leveraging a managed security service provider (MSSP), managed detection and response (MDR), or an endpoint detection and response provider (EDR) can allow you to outsource resource-intensive monitoring. In most MSE environments, it is possible to contract a managed service provider for less than the cost of one senior, full-time equivalent. 

Given this landscape, how can MSE CIOs be most effective?

You must be highly effective in your role to protect against expanding threats with limited resources. As MSEs’ digital ambitions grow, CIOs will find the size and scope of their roles increasing as well. Gone are the days of only protecting servers and assessing IT risks. Today’s MSE CIOs are responsible for not only thwarting unrelenting threats, but also addressing compliance within fast-changing regulatory landscapes, providing assurance about growing customer security concerns and more.

Gartner research has found that the most effective CIOs are skilled executive influencers, future risk managers and workforce architects. They actively develop their teams by focusing on diverse competencies and addressing talent gaps with nonsecurity resources. To improve your effectiveness, build strong relationships with senior leadership across the enterprise, particularly those outside of IT. Proactively identify and manage future risks to your organization by informing decision makers about new security norms and technologies, and monitor the workforce and address skills gaps with creative talent management practices. 

Finally, stress management and personal development play an important role. The most effective CIOs diligently manage their time by keeping firm work-life boundaries and making time for personal development.