10 Midsize Enterprise Execs Talk Security And What Keeps Them Up At Night

CISOs, IT managers and other security-focused executives at 10 midsize enterprises talk with CRN about the issues they lose sleep over and what they are doing to give their companies a more secure environment.

Securing The Midsize Enterprise

When it comes to what midsize enterprise businesses, and businesses in general, think about most when it comes to IT, security seems to be the topic that trumps all others. And that was very evident in meetings, presentations and conversations during the recently-concluded Midsize Enterprise Summit, organized in Las Vegas by The Channel Company, which is also the parent company of CRN.

Highlighting the importance of security was Mike Cisek, a vice president and analyst focusing on midsize enterprise research, infrastructure and operations at research firm Gartner, who told CIOs, CISOs and other IT executives at the conference that a recent survey his organization did found that CIOs want to work on most, or what CEOs want their CIOs to work on, was security.

[Related: The 2022 Security 100]

That should be no surprise, Cisek said.

“It’s been the common theme for just about every discussion that we’ve had,” he said. “So when you look at the security piece, that’s going to stand out. But I think it’s all a function of resource constraints, right? You need to find strategies and tactics that are going to work. Because everything’s interconnected, just like every inquiry we have. It’s part security, it’s part cloud, it’s part budget, it’s part staffing and upskill. You have to look at this thing on a macro level.”

Managing security comes down to hard choices, Cisek said.

“How can I devise a comprehensive cybersecurity program when I don’t even have a CISO?” he said. “Or I don’t have dedicated security resources? Or, out of my $2 million budget that is half personnel, I’m spending 5 percent of that. Well, what’s that? That’s a whole lot of nothing. That’s $100,000 or $200,000 per year. So how can I do that within the confines of a midsize enterprise? … That’s why we see midsize organizations leveraging things like as-a-service offerings or managed security service providers.”

IT executives at midsize enterprises, in a series of conversations with CRN, also highlighted security as their top concern. Ransomware, phishing and attacks via third-party partners are among the issues causing concern and taking up much of their time and IT budgets.

Here is what these executives say are the issues causing them to lose sleep at night.

Valeri Stoyanov, CISO

Minerals Technologies, a New York-based developer of specialty mineral products and services

What keeps me up at night in general is the risk across the organization, understanding the risk and visibility of where sensitive data is. And also, do we have the right technologies in place to address those risks? To determine that, we basically do a risk assessment and doing something quantitatively. Essentially, rather than having a high-level risk assessment, we go into the details, looking at specific risks, understanding and quantifying whether the technologies we have appropriately mitigate the risk. For example, if a risk were to materialize and the impact would be $10,000, but we’ve implemented a technology that’s worth $100,000, obviously, we’ve overshot. But if we have implemented a $100,000 technology that will mitigate a risk of $10 million, then we have the appropriate technology in place. So basically, equalizing and maximizing that equation between risk mitigation and the appropriate technical technological implementation.

You can’t eliminate risk. Certainly you have an inherent risk that you have to assume will always be there and may not be mitigated. But we want to address as much risk as possible, and prevent and mitigate it, and then account for that residual risk.

For 2023, our security spending priority is essentially things to address our model. In our case, it’s OT, or operating technologies, risks that come from that space, but also IT technologies, minimizing shadow IT and addressing those things. And again, around that whole risk modality, risk understanding and qualification. We can talk in vague terms, but what is our specific quantifiable risk? And are we investing in mitigating those technologies?

Chris Smalley, Associate VP, Director, IT

Hoefer Welker, a Leawood, Kan.-based architecture, planning, and interior design firm

My biggest concern is ransomware. Just getting our information encrypted would be a terrible day for me. I know that really keeps me up. I feel like I got pretty good walls built up. But it’s always possible. We’ve done all the things to build those walls. Immutable backups, MFA [multifactor authentication], next-gen antivirus, security training for my employees who are regularly tested and trained. I think I’ve got pretty good walls up, with an IPS [intrusion prevention system] and IDS [intrusion detection system] as well on the network.

I don‘t know that I’ve figured out yet how to build the wall higher. I’m continuing to harden the policies that are in place already and making sure that the discussions include security-conscious decisions. In terms of solutions, vendors can be a little convoluted at times. But the vendors are good at telling me what they do. And coming to things like this [conference] help me discover what else is available and help me decide what may be a good fit for my business.

Christopher Carpenter, Director, IT

Epilog Laser, a Golden, Colo.-based manufacturer of laser engraving and cutting machines

My biggest concern right now is access. Since we have a hosted ERP system, even with a private cloud implementation with a partner, we need to feel they’ve secured their environment to the point where our application or data is safe. That’s probably the biggest concern that I have right now. We’re a fairly small environment overall when it comes to applications. But that being a critical business application, it’s my biggest concern. I’m really just working with our partner to make sure that they’re doing what they need to do.

Our partner did have a breach actually, about a year and a half ago, on an old antiquated Windows server that they kept up for one client. But it did expose the fact that there may have been some holes that weren’t patched or that were open. And it was definitely scary. But we’re just really working with them, understanding what they’re doing to secure the environment, and then monitoring and continuing to just ensure that all their clients’ applications and data are safe in their environment.

That was one particular application. In general, our concerns are about any of our cloud applications or solutions. So, for instance, before we rolled out MFA about three and a half or four years ago, our CFO’s account was compromised. Luckily, all that was really done that we found was some email [issues]. But it really exposed to me at that point in time that even Microsoft 365, no matter how much physical security they have with their data centers, all somebody needs is a credential to get in. And then it’s pretty much over at that point in time. Just being aware of what those points of entry are, and how vulnerable they can be, is really key. It’s something that comes with knowledge and understanding, making sure you configure things correctly, making sure that you understand the solutions you’re putting in, what features that they have to secure that as well. And then understanding what other third-party solutions may be out there to also help secure those environments.

We’re actually working on what we need to further secure those environments as we speak right now. The biggest thing that we’ve done is we implemented multifactor authentication a few years ago. We do monitor our Microsoft environment daily. We’ve put in some conditional access policies as well, trying to lock that down a little bit further. So we’re using basic out-of-the-box tools that Microsoft provides, but definitely looking at third-party solutions to help kind of bridge that gap and make sure that we’re really thinking about it holistically.

Greg Fosdick, Global Director, IT, Technology

Wieland North America, the Frankfort, Ky. office of Ulm, a Germany-based metal recycler

What keeps me up at night is probably the unknown. It is the ever-changing landscape of having things discovered, resolved, remediated. And then the next thing is always almost fighting a losing battle. There’s always going to be something coming up next. [The bad guys are] going to get smarter or even more defiant in how they get into different areas. You’ve heard this said before: It’s not if but when you get access to the security. Just the uneasiness of what the next step is.

We handle this in part by training users, in part by having the right tools in place, and having the right partners, whether it’s internal or external partners, that work on trying to look at the various levels of vulnerability: the discovery side, the remediation side, the heuristic side, that’s all the different foundations of how do we protect IT. It starts with training because users are probably our most vulnerable area, and goes all the way through the back end and how we actually harden our systems to vulnerabilities.

Our security investments are almost the same thing every year. We’re looking for the right partners, we’re looking for the right tools—that could be a training tool—or a way to be able to communicate with clients to give them the mental awareness of how to help themselves protect the rest of the network. And so I think it’s a year-to-year fight. And I think almost every year we have to just look at how do we better ourselves from what we did last year and what we need to do next year.

Al De La Cruz, Technical Support Manager

Les Olson, a Lindon, Utah-based business technology provider

Security. All aspects of it. And then the remediation, you know, how are we going to get this stuff back if something were to happen.

The big issue is ransomware. We’ve had a couple of customers hit with ransomware. And so that’s always the top concern on the priority list, making sure that we educate the customers or the users to make sure they’re not clicking on things that they shouldn’t be clicking on. And also providing the solutions to make sure that whatever software package they’re using fits their needs. Not every piece of software is perfect for everybody. Whatever fits their needs the best is what we recommend.

End users are still clicking on things they shouldn’t be clicking. I don’t think there’s anything that will stop it all. There’s training now from Wombat [now known as Proofpoint Security Awareness Training], and other training modules that you can send out to spoof users to see what the response is. You can send out a quick ‘clickbait’ that doesn’t go anywhere but reports back to you about who clicked on it, or who needs more education on something. That’s really all you can do because really the security lies with the end user, not anywhere else.

Andrew Werner, Head of IT, U.S. Operations

Applegreen, a Dublin, Ireland-based gas station and food service company

I would say my biggest concern is something that’s taking our company down, not a sort of loss of data. And then the users doing something dumb. I think they’re our biggest weak point. For example, its emails that come through or clicking things or installing things they’re not supposed to, or attempting to anyways.

I’m new to the company. I can speak more about my last company. We installed email security with link protection and things like that. We used Mimecast, actually. We also used Morphisec. So we were definitely using tools and then instituting training for users.

For 2023, with my new company, I’d like to see better remote connectivity. I’d like a more secure, maybe zero trust. VPNs and access is one of the big things we’re looking at.

Faisal Akkawi, Executive Director, Information Systems

Northwestern University, Evanston, Ill.

What keeps me up at night? No. 1 is the third-party companies that [provide security]. One thing is, when you trying to secure a network, and you’re bringing a third party to come in and monitor your network, they become a threat as well. I don’t know if you‘re familiar with the Target hack [of 2013], the hack through a vendor.

What keeps me up at night that no system is secure. And someone is going to get in, no matter what. If someone goes after you, they will find a way to get it. Because in security, to secure your network, you have 1,000 doors. You have to secure every single one of them. But the hacker only needs one. The hacker only needs one of your employees to click on one link, and it’s over. So what keeps me up at night is that could never be secure. It’s a constant risk life cycle of layers of security that we have to keep adopting and testing on a daily basis in order to barely stay afloat, especially in this environment.

And what’s even more dangerous, something that the current industry is not taking into account, is the adoption of the future 5G technology. 5G technology to the vast majority of people is just another 4G that one generation ahead. You couldn’t be farther from the truth. 5G is a multi-sectorial technology that will revolutionize the way we think, the way we do business. And it is hundreds of times faster than the 4G and will be adopted. And once it’s adopted, it becomes a highway for hackers to be able to get in and get out and utilize the network.

Robert Rosales, Director, IT

Oak Harbor Freight Lines, an Auburn, Wash.-based LTL (less than truckload) freight carrier

Ransomware is on everyone’s lips right now. And so that would be my No. 1 worry. And then also service uptime, just to make sure that our IT services doesn’t impact the business.

On the ransomware side, we started with our anti-virus. We have an anti-virus that is able to detect the activities of ransomware. We’ve made it so there’s no connection to our network from other foreign countries. So we’ve limited the connection. We’ve implemented more frequent password changes. We implemented security education, phishing education, things like that. And complex passwords. So it starts from that. And it starts from people just being aware of security best practices. And we send the occasional test email.

For uptime, we build resiliency into our network, multiple connections to critical services, things like that. Load balancers through our applications. So a lot of different types of resiliency built in the services, infrastructure and applications.

Next year, we’re going to be focused on the data analytics side, the ability to get the data and discover things where we could be more efficient with our operations.

Vickie Alston, Director, Information Technology

University of the Ozarks, Clarksville, Ark.

What keeps me up is the possibility of being hacked, someone getting into our network, encrypting our information, holding us up with ransomware, something like that is probably the big biggest thing that keeps me up at night. I’m here at this conference looking for a vendor to hopefully help me resolve that issue. I’ve seen several vendors:

Bitdefender, ThreatLocker, a couple other ones that are here. I just need to dig deeper into what they offer and see which one is the best fit for us.

Until now, we’ve done multifactor authentication for my users, educating my users, keeping my systems patched and updated, things like that. Next year, we’ll also focus on the cloud and protecting our information that we have in the cloud as well as our on-premises servers.

Joshua Van Camp, Network Administration Supervisor

Gleaner Life Insurance Society, Adrian, Mich.

The threat of ransomware attacks is probably the biggest thing. And just making sure we’ve got the right tools in place to detect and then remediate security threats, whether it be small or major. We’re looking at defense in-depth. So it’s everything from multifactor to tools like EDR [endpoint detection and response] and MDR [managed detection and response]. And again, just making sure it’s in-depth. So I say ‘multifactor,’ it’s not just multifactor for users. It‘s multifactor for some of the back-end stuff, and it’s across the different devices and products.

In terms of new technologies, we’re probably a little bit more in a holding pattern, continuing to work on more and more multifactor authentication, pushing that through. We haven’t looked at privileged account management. I don’t know if that’s going to be for next year, but that’s on the horizon.