Companies spend a lot on IT security, and that trend does not look like it’s stopping, despite the current economic headwinds. Gartner estimates that spending on information security and risk management will grow by 11.3 percent to reach more than $188.3 billion in 2023. Yet, in the face of mounting economic pressure, many companies are afraid they will have to cut their spending. According to our own research, around 44 percent of small and mid-sized enterprise (SME) companies think they will have to reduce their IT budgets in 2023.
Of these, around three quarters think this reduction will lead to increased risk to the business. When this happens stress and overtime increase dramatically — already, we found that all IT professionals work more hours than they are paid for with 26 percent saying they average ten hours a week in overtime. In order to solve these problems, we have to think again about the role of IT security, and why the size of the company you support affects how you can achieve your goals.
SME versus enterprise IT — who has it best?
The overall goal for IT security should be simple to describe — enabling your employees to work while keeping the bad guys out. In actuality, it expands to making work happen for your co-workers however and wherever they are, while preventing unauthorized access to company systems and data. But making this happen in the real world involves understanding the limitations and restrictions that you have to work with.
For SMEs, the big challenge is around resources. While you might want to deliver the very best security program possible, you will have to work with limited budgets and — most importantly — limited time to get the work done. This is because SME IT professionals have to take care of everything surrounding their technology, rather than being able to focus on specific areas.
Alongside this, SMEs have smaller budgets overall to work with. While you might want to deploy some of the latest and greatest technology, you may be constrained by what you can actually afford to deploy yourself. Lastly, SMEs will tend to have less budget for training around security issues. While enterprises can afford to send all employees on security training and refresher courses on a regular basis, SMEs will likely have competing priorities that will be prioritized. For the SME IT professional, making use of free tools and delivering what the company needs are a given.
So, should the SME IT professional up sticks and move to a large enterprise? Not so fast. Enterprise IT professionals have to face different challenges that are no less painful. While they might enjoy larger budgets and have dedicated resources for security management, these teams face more attacks. As their companies have more assets — and frankly, more money in the bank that attackers want to get at — they will be higher profile targets for cyber attacks.
Alongside this, enterprise IT security teams face huge amounts of complexity. According to Ponemon Institute, 53 percent of IT experts admit they don’t know how well the cybersecurity tools they’ve deployed are working. According to Fastly, companies have tools but are not using them, with only 61 percent of cybersecurity tools fully active or deployed. This means that companies have a sprawling security architecture in place, but are not actually sure they have all the gaps covered.
What can we learn from each other?
So, we have IT professionals that are time-poor, stressed and constantly under pressure to deliver. How can we fix this situation? The answer lies in how we consolidate.
Rather than looking for more new tools to help our teams, we have to look more at how we organize our processes and then use tools to support those steps. This means going back to some first principles around security, and how they support ways of working. For example, we found that a third of SME IT professionals had six or more tools in place to manage employee lifecycles. Using multiple tools might make sense, but it often leads to more complex processes and gaps over time. Consolidating tools down where you can make it easier to track what is being done should reduce spending overall too.
Similarly, we can look at how to manage security for our assets, devices and users more consistently. At the SME level, IT teams don’t want to run three different tools for device management as well as user identity and patching. If you can reduce the number of tools involved, it makes it easier to automate some of the processes too, as you don’t have to rely on manual work across tools.
For enterprises, SME IT teams can provide a lesson in how to concentrate on what really needs to be done, how to automate those processes and where you can simplify what you support. This frees up time to work on other, higher value areas — for SMEs, this will be the other IT tasks that they need to support, while enterprise IT teams can focus on threat hunting and improving their security posture.
The risk of attacks around IT is not going away. Companies will have to spend in order to keep themselves and their businesses secure. But what we can learn is how to make those budgets go further and make life easier for our teams. By looking at other organizations, we can pick up some valuable lessons on how to improve security.
Chase Doelling is Principal Strategist, JumpCloud.