In my experience with companies of all sizes, organizations can be either too small or too big to wrap their arms around information security best practices.
Third Rock from the Sun
Much like the Earth being just the right distance from the sun and having just the right combination of elements and natural resources to support life as we know it, businesses that have roughly 500 to 1,500 employees seem to be just the right size—and often have the appropriate resources—to develop and maintain an effective InfoSec program. Companies in this size range are also often at just the right point on their process maturation curve to embrace the efficiencies and strategic value that a stronger information security posture can bring.
Challenges for Small and Large Organizations
Smaller organizations and startups are often nimble, but lack the staff and/or expertise to address all the demands of information security, compliance and risk management without creating deficits in other operational areas. Such companies tend to run out of runway pretty quickly in any direction when it comes to finding resources or delegating significant responsibility.
Similarly, organizations with well above 1,500 employees may have significant resources at their disposal, but are so large and diverse they have difficulty “seeing the forest for the trees” in terms of security. Bigger firms often have fundamental disconnects between departments, making it hard to develop a holistic view of risk or preventing overlapping or incomplete control coverage. Enterprises often have security issues they are not even aware of, or two different parts of the company may each think that it’s the other’s responsibility to manage something related to security and/or risk.
Whether “too big,” “too small” or “just right,” every organization has some kind of information security posture. If your business is in that “sweet spot” size-wise, you may benefit significantly from partnering with an expert third-party to take your InfoSec program to the top level.
The Potential for Virtual Security Services
I frequently see this first-hand: Medium-sized organizations have “in-between” needs that don’t necessarily require a full-time CISO but are also too big (and often too pressing; e.g., pressure from prospects to provide a security attestation) to be put off. This makes many medium-sized orgs and small enterprises great candidates for a virtual CISO (vCISO) and related services.
Our team is currently working with about 200 of these medium-sized organizations in various capacities. This gives us a wealth of knowledge and experience, and a valuable perspective to share with companies in this size range.
If your organization is ready to address information security gaps or tackle a strategic InfoSec initiative, contact Pivot Point Security—we’d love to talk more about your goals.