Op-Ed: Only Ferraris and Smart Cars – cyber security’s mid-market failings

The biggest security companies in the world are well suited to landing massive deals with the biggest five per cent of companies. Likewise, small businesses are usually catered for by freelancers and small service providers. Or, quite frankly, don’t have the budget or inclination to improve their security whatsoever. Most of the mid-market end up in point solutions and piecemeal consulting services and are left exposed to potential threats, lack of advice, governance, planning and improvement.

The industry is extremely bad at helping the huge demographic of companies that sit in the middle of the two. These businesses have grown large enough to take security seriously, but don’t have the huge budgets or dedicated security resources needed to work with big security companies.

Mid-market companies are primed and incentivised to buy, but they don’t like what most security companies are selling. It’s a bit like trying to buy a car but the only options are Ferraris or Smart Cars. Perfectly appropriate vehicles for the right buyers, but neither suits the needs or budget of the average family household.

Not understanding needs

The biggest problem is that security companies do not understand what mid-market companies need. They don’t recognise the pain points, and they try to sell as if they are simply smaller versions of large enterprise businesses or give the self-service tools that require a lot of training, configuration, and ongoing support.

The companies that buy products or services because they are interested or excited in the technology are the exception, not the rule. For most mid-market companies, security is something they pursue as a byproduct of their compliance processes or they have had some sort of breach or cyber attack. They are looking for penetration testing and managed detection and response services because it is a regulatory condition for them to operate in compliance with their industry – not because it is best practice.

It is important to remember that certification does not equal secure; it is simply a point-in-time assessment of security policies, processes, and controls. However, you have to meet customers where they are. Some of the best accounts I’ve worked on, where we have taken businesses on a journey from zero to 100, started as a compliance exercise. If you can demonstrate to mid-market companies how taking security seriously can ease their compliance burden, they will take security more seriously.

Selling problems, not solutions

Speaking of understanding customer needs, I think the cyber security market struggles to recognise the extra workload and costs that their products and services can put on security teams – who are already stretched to breaking point.

Security companies often encourage users to deploy solutions without really understanding their problems. This leads to multiple solutions, multiple vendors, and internal teams that are tasked to become experts on them all. Each new product involves training, new configurations, new management, new alerts, and new mitigations. The cost of professional services to manage all the extra controls can far exceed the cost of the tools/licenses themselves.

Mid-market companies simply do not have the resources, people or budgets to deploy all the latest controls. You can’t add to the pile of a company’s cyber security problems, you need to sell solutions that take them away.

Over-complicated tech and jargon

Security brands are constantly confusing the market and their users. They over-complicate the challenges they believe their customers have, and the solutions that will solve them. What companies really want is simplicity.

Rather than focusing on tech specs, mid-market companies want a high-level cyber security strategy that gets them from A to B as quickly and effectively as possible. They need to establish clear objectives, costs, timelines, potential roadblocks, and alternative paths. The tech used is largely irrelevant, unless specifically cited in their compulsory regulations.

Future mid-market success

We need security companies to address their failures in the mid-market because we need a more secure Australian mid-market. When these businesses are breached, they may not make national headlines, but the larger companies they may serve may come into the spotlight. We have seen too many small companies impact the security of a larger company they provide services to. These small businesses are important businesses for a healthy economy overall. A breach can stop a company from operating, it can be devastating for customers, and ransomware campaigns targeting small- and medium-sized businesses are helping to fund cyber-crime worldwide.

Looking ahead, if the major players in security cannot sell to the mid-market, they should partner with businesses that can. More products should also be aimed at mid-market orgs, rather than those at the very top and very bottom of the chain. Finally, there is a need for mid-market businesses to recognise that they share some responsibility in this too. They need to invest more in security and, if a large security brand’s service doesn’t come under budget, look for alternatives on the market.