Home » Security Leadership » Metrics/Budgets

3 Ways to Do More With Less

CISOs at midsize businesses face many of the same problems as CISOs at larger companies, but with a lot fewer resources. What they've learned can help any CISO get by on less.

Stanley "Stash" Jarocki is used to getting plenty of attention. Once the VP of IT security at Morgan Stanley, Jarocki knows what it's like to manage a staff of dozens at a Fortune 50 company that spends millions of dollars on technology. When he called a vendor, the vendor answered. Quickly. "I'd pick up the phone, and the companyservice provider, hardware provider, software providerwould be in the door tomorrow, today," Jarocki says.

But that was then. Jarocki has had to change his tactics and expectations now that he works in one of the trickiest spots in security: right in the middle. He is senior VP and information security officer of New York Citybased Bessemer Trust, a privately held wealth management company with $40 billion in assets and just 600 employees. When it comes to infosec, analysts say, working at this size company can be the worst of both worlds.

"The companies are often big enough to be targets, but not necessarily big enough to have the staff and the budget to do security well," says John Pescatore, a vice president at the analyst firm Gartner. "They often don't have strong IT discipline, and that causes all sorts of security problems. But they're big enough to be targets of cybercrimesomebody saying, Let me go after this plumbing supply company. It's not so big, but maybe I can find a credit card file." What's more, midsize organizations may face the same bevy of regulators as big companies.

But the little guysthat is, companies with revenue between $100 million and $1 billionare being forced into getting better at security. And the best among them have tips about managing security on a budget that even CISOs with gargantuan budgets could learn from. Here are three ways they're doing more with less.

1. Find good security generalistsand know when it's time to call in extra help.

When Robert Lewis, CISO of Cambridge Health Alliance in Cambridge, Mass., was nominated for Information Security Executive of the Year for the New England region, he remembers going to the gala affair and watching the CISO of State Street pick up the award.

"Her staff in security was larger than our entire IT department," recalls Lewis, who is also director of telecommunications and network services at the nonprofit group, which has annual revenue of $466 million.

The biggest challenge? Finding and keeping a small stable of talented security employees who are jacks-of-all-trades, in a marketplace that sometimes values specialization. "In a very large organization, your security group will have a huge amount of specialization," says Jim Reavis, founder of an eponymous security consulting group. At small companies, by contrast, "you have people who wear a lot of hats." Midmarket organizations are lucky to have even a couple of people whose jobs are entirely devoted to information security.