Since global enterprises with deep pockets face a higher risk of attack, IT security professionals working at large firms often have an easier time than their midmarket counterparts when it comes to winning executive support for new intrusion defense investments.
Midmarket companies -- typically defined as organizations with $50 million to $1 billion in annual revenue and anywhere from 100 to 5,000 employees -- have tighter budgets and haven't suffered security breaches to the same degree as enterprises, said Jon Payne, VP of IT for Boulder, Colo.-based Wild Oats Markets Inc. As a result, it's more difficult getting executives to grasp the dangers posed by certain threats and approve the security investments and policies needed to deal with them.
Payne has first-hand experience in this area. Before arriving at Wild Oats, a company closer to the midmarket with 8,500 employees and just over $1 billion in revenue last year, he worked for global giants such as Qwest Communications International Inc., Sprint Corp., PepsiCo Inc., and General Mills Inc.
"Bigger companies have already been burned and are more serious about security measures," Payne said. "Midmarket companies simply aren't as aware of their risks and security needs from the get-go. My job is to educate upper management on what the risks are and why we need to make certain changes and investments."
While it's harder to sell midmarket executives on security, Payne and other IT professionals have found that they can be won over using the same arguments that resonate in big enterprise boardrooms. Payne has attracted his executives' attention, for example, by explaining how certain investments and policies could boost regulatory compliance efforts and prevent a headline-grabbing security breach.
"Our security budget has increased in the last three years," he said. "Regulations like Sarbanes-Oxley and the Payment Card Industry (PCI) Data Security Standard have been big factors."
Different concerns, similar solutions
Jason James is VP of IT for Happy State Bank in Happy, Texas, a company at the low end of the midmarket with 250 employees and $27 million in revenue last year. His company is much smaller than Wild Oats and his top security concerns are somewhat different.
For example, while Payne worries a lot about insider threats, James is more concerned about external attacks that exploit zero-day vulnerabilities. But there are many similarities in the intrusion defense programs they have built to deal with those threats and the arguments they used to win executive support.
Their programs are based on multi-layered defenses, from antivirus software and firewalls to automated, centralized tools that monitor network activity around the clock and pull together the different logs various network devices produce each day. They also spend a lot of time trying to educate employees on smart computing habits.
Chris Liebert, a security analyst with Boston-based Yankee Group, said these are the right priorities for a midmarket company.
"You need a good URL filter and content controls," she said. "You need technology to monitor the network and alert you when someone is downloading a lot of files after hours. Companies that have these technologies are going to be in good shape."
In Liebert's opinion, midmarket companies are better off spending money on intrusion defense technologies than on new IT staff. "It makes more sense from a budget and effectiveness standpoint to use technology for this, than to spend money and time on human resources," she said.
James agreed. "I can't afford to hire a $150,000-a-year IT guy," he said. "For me, investing in the automated technology has made more financial sense."
While most midmarket companies can't afford the kind of dedicated security staff found at a large enterprise, Payne said there are times when more people are needed.
When he arrived at Wild Oats, Payne found that everyone on the IT staff dealt with security along with their other responsibilities. He didn't like the arrangement, because nobody was able to give security the attention it deserved. So he hired one person whose sole purpose is to focus on security, reviewing the daily logs, keeping up on the latest threats and making sure all the latest patches are deployed.
Making the case via compliance, pen testing
While they may not see eye to eye on staffing needs, Payne, James and Liebert are in full agreement on this: Nothing persuades an executive to invest in security like a little regulatory pressure.
"There's no question compliance has forced midmarket companies to make intrusion defense investments they wouldn't have made otherwise," Liebert said. "That's the big upside to compliance: it has forced companies to review their security controls."
"The big questions executives always ask me are whether we're compliant and what other banks our size do to be compliant," James said. "If a regulation says you need a firewall, an intrusion detection system (IDS) or penetration testing, then that regulation is my friend."
That doesn't mean compliance offers an IT professional a blank check. James said his company doesn't invest in security technology simply for the sake of spending. Every tool must serve a specific purpose.
If compliance concerns don't convince executives to back an intrusion defense initiative, then a demonstration of the companies' security holes will probably do the trick.
So far, it's a strategy that has worked for James' team at Happy State Bank. Using a penetration testing tool from Boston-based vendor Core Security Technologies, James said he's able to hand his bosses hard evidence that shows what the company's weaknesses are. It has helped him garner support to get what he needs to address the problems.
"Testing the environment allows us to have a solid sense of security instead of a false sense of security, and you can always find something during penetration testing," James said. His firm conducts external penetration testing every month and internal testing every quarter.
While the path to a strong intrusion defense isn't easy for midsized companies, Payne and James think they have the necessary support from upper management to do what they feel is necessary.
"I couldn't do what must be done if they weren't engaged," Payne said of his bosses.
Added James, "It shows [our executives] have confidence in our security."