Despite being shackled by budgets, which can limit their approaches to information security, mid-market companies must still find ways to secure their infrastructures, and should consider managed security services to fill the gap, a Gartner analyst told mid-market security executives Sunday.
"Unless you absolutely have to do it on premise, I urge you not to," Mike Cisek told mid-market IT directors at the opening session for Midsize Enterprise Summit East, sponsored by CRN's parent, The Channel Company. The conference is being held in Nashville, Tenn.
Cisek, outlining Gartner's five technology trends for mid-market companies, told more than 200 business IT leaders that security touches everything, and requires new ways of inoculating the infrastructure from attack.
"Long-held approaches are just not going to work anymore," he said. "You can't focus solely on the perimeter. You can't build the wall higher and just make it expand beyond everything."
Cisek also cited a tough market for information security professionals as a factor as he outlined his case for improved security prevention, detection and response, one of the five trends. Until the IT organization has more than 20 or 25 people, an IT director can't justify having someone focused solely on security, he told CRN after his 30-minute address. That's why Cisek suggested cloud solutions and managed security services to ease some of that burden.
A mid-market company can spend about $3,000 to $5,000 a month for a managed security services provider, far less than the annual salary for a dedicated security professional on staff, which is about $150,000, Cisek told CRN.
So, for an annual cost in the range of $40,000 to $60,000, "you can have a very effective security posture," he said.
That point resonated with Patrick Purdy, CIO at West Metro Fire Protection District, a fire and rescue agency in Lakewood, Colo., just outside Denver. With only 11 people working in IT serving about 500 people in the organization, he can't "pigeonhole" anyone to focus only on security.
But at the same time, his organization is "always in fear" of pushing stuff to the cloud. "You don't want to give up control," Purdy said.
Cisek also suggested that the IT directors consider cloud access security brokers (CASBs), which act as intermediaries between end users and cloud applications, providing platforms with added security benefits through APIs or proxies. "You need something that’s going to sit between you, your users, your data and the cloud," he said in his address.
That option appealed to Jeff Lang, senior director of enterprise infrastructure at Entertainment, a publisher of coupon books based in Troy, Mich.
Lang said he hasn't checked out CASBs yet. "We just don't have dedicated security staff," he told CRN. "Anything we can do to kind of bolster that would be nice."
While he's looking for someone to help his staff with security solutions, Lang cited frustration with security providers who will provide break-fix service, and diagnose and analyze problems and potential problems, but won't do staff augmentation.
The four other trends Gartner cited include: adoption of emerging data center solutions; strategic and tactical use of cloud infrastructure (IaaS) and application services (SaaS); analytics to improve business and it operations; and enablement of the digital workplace.
On the last trend, Cisek urged the mid-market IT chiefs to allow business units to flex their muscles when it comes to technology innovation. That includes making it easy for them to share and exchange information and ideas through social and collaboration tools.
"Don't stand in the way of something they need to do," such as developing applications, he said, although he urged the IT directors to "control" it.
"Make everybody's life as simple as possible," and "allow people to do their jobs," Cisek added.