June 24, 2021

Last Updated on January 14, 2024

Despite ongoing warnings from experts and an escalating percentage of opportunistic attacks, SMBs continue to underestimate their cybersecurity risk. What’s behind this self-destructive mindset? And which companies are seeing past it and taking steps to reduce their cyber risk?

To unravel all aspects of the managed security market space, Chris Nyhuis, President and CEO of Vigilant, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosted the show as always.

Who is investing in managed detection and response?

“What we find—and this is really interesting—is [investment in MDR] is revenue-based,” shares Chris. “Companies that have $10 to $12 million or more in revenue tend to realize they’re at that inflection point where, ‘We probably should look at things a little bit differently.’”

“Companies underneath that, they’re so tied to their finances in some ways that they don’t see security as an investment,” Chris adds. “Then, when you get to the enterprise level of around $1.2 billion, there’s another inflection point. You have this all-set mindset; you have an in-house only mindset. You have this approach that creates a microcosm within that company. So, it’s really from $10 million to like $1.2 billion in revenue.”

That’s where Chris sees the “sweet spot” where firms say, “Okay, we need help,” and invest in MDR.

Why SMB and SME leaders consider MDR

“At that $10 million level, do you think that’s because in many companies, that’s the first time that they’re really getting dedicated security people?” John asks. “In smaller companies you tend to see IT and information security as being sort of one function. The IT director/CIO guy is responsible for security. Do you think that’s part of it, that they’re getting to the point where they get dedicated security staff who are able to recognize the issue and communicate it better to management?”

“I think it is… But I think it has to do with the ownership in a lot of cases,” observes Chris. “It’s the point where the founders, the owners of the organization, are letting loose a little bit more of control. … It’s that much less tied to the pocketbook, right? It’s also the inflection point for a lot of organizations; $10 million is a big jump point for growth. They’re starting to go, ‘Hey, we’re going to go big-time now.’”

“And I think the thing that boards, C-level people, decision-makers, the owners of organizations have to realize is that everything you protect can be taken away overnight by a threat,” Chris underscores.

Value creation versus value preservation

“COBIT has this idea that has always resonated with me: value creation and value preservation,” notes John. “If you only have a million-dollar company, you’re not losing that much; you can rebuild it. But if you start getting to $10 million, you’ve created something that suddenly you look at and go, ‘I can’t afford to lose this.’ So maybe it’s more that their mindset shifts to some greater recognition of that value preservation side of the equation.”

Chris then shares a scary anecdote from the enterprise end of the spectrum: “We had this major national brand; went in, talked to their team, and their team’s like, ‘Yes, we need this, this is going to save us tons of time, it’s going to reduce risk in massive ways.’ And then they went to their purchasing department. This was in February. And the purchasing department said, ‘Sorry, we only take new vendors in the month of January every year.’ And guess what? Six months later they were in the news.”

“It’s one of those things that, when you get to be above that $1.2 billion, that’s another inflection point,” elaborates Chris. “You’ve got so many layers between what has to happen and where you’re at, and so many decision-makers, that things take forever. … And when you have threat actors in your environment for 315 days, you’re fighting a losing battle, right?”

What’s Next?

Considering MDR to reduce cyber risk and/or support compliance with CMMC, NIST 800-171 or other security mandates? Don’t miss this podcast episode with Chris Nyhuis, CEO at Vigilant.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.

Don't Get Hooked!

Phishing emails are tricky. Based on our Cyber Security Awareness Taining material, the 10 Tips for Detecting Phishing Emails infographic provides a cheatsheet of what to look for in unfamiliar emails.
Download our Detecting Phishing Infographic now!