Walking the tightrope of innovation & security in the cloud as a mid-market business

All segments of the market — Startups (<100 headcounts), Mid-Market (100>1,500 headcount), and Enterprise (1500+ headcount) — are increasingly utilising the benefits of the public cloud. Reasons for cloud adoption are well understood at this point; agility, visibility, security, ease of set-up, cost-effectiveness, global coverage, and the list goes on.

However, the method of managing cloud environments differs depending on the profile and size of your organisation. Therefore, it is essential to adopt the right kind of approach based on your company’s stage of growth, the rate at which your cloud environment is scaling, and your team’s skill level. All of this is particularly pertinent when viewed through the lens of security.

Arguably, the challenge of how to maintain a secure and compliant cloud posture whilst scaling services quickly is most difficult for mid-market companies:

• They need a high degree of maturity but don’t necessarily have Enterprise level budgets to implement multiple best-of-breed tools to assist them.
• They need to scale the size of their teams. Still, the battle for highly skilled staff in this domain is increasingly competitive (and often, Enterprise competition can throw additional money at the problem, putting Mid-Market businesses on the back foot).
• They are led by the businesses’ need/desire to grow quickly; this often leads to a build first and secure second approach — potentially creating gaps/vulnerabilities in the environment which are hard to identify and track.

There are different ways to address these challenges. One option is to outsource some of the responsibilities to third-party partners who have security domain expertise, which helps with the skills challenge.

Another option is to leverage native tooling provided by the cloud vendors, and our advice is to always start here as a baseline and build these practices as early as possible. We have seen organisations, especially those scaling fast, struggle to fully utilise native tools as their environment grows — particularly as they undergo greater customisation.

The final option, which we’ll investigate further here, is acquiring third-party tools. Used in the right way these tools can relieve the burden on teams by, 1) building greater efficiency by identifying issues quicker, 2) allowing the business to build faster (without having to add headcount) at the same pace, and 3) providing regular assurance to leadership that the business can maintain a solid baseline posture against security, risk, and compliance.

However, having worked with many Mid-Market businesses during our last start-up, we understand that bringing one or more third-party tools into the business can potentially create as many problems as they solve.

• Tools that work particularly well as point solutions but cannot talk to each other. The net result is that teams spend the same amount of time trying to piece together multiple issues from different systems as they would be running purely manual investigations.
• The engineers suffer from alert fatigue. They’re receiving 100’s if not 1000’s alerts per day, some will be relevant, but some won’t be — perhaps that S3 bucket is public by design? The net result is that teams withdraw from the tooling as they feel like they work for it vs. it working for them.
• You cannot prioritise the top issues to remediate immediately. Without context, it becomes impossible for a CISO/Security Leader to articulate the most significant risk to the organisation. Are you susceptible to a breach that made the news this morning? Is there an active attack path that could result in a bad actor being in your environment? Can you show improvement over time in your security & compliance posture?

We’re seeking to overcome these challenges with security teams in the Mid-Market space. We want to give you the capability to have an Enterprise level approach to security in the cloud without the associated burden. We’re achieving this objective by aggregating critical security data across multiple streams to give you a prioritised list of issues that need action — essentially, it is all about context.

We’re still heavily in the product development phase and would love to validate the feedback that we’re getting from the market. Please do reach out to us for a discussion if you’re a security leader, responsible for cloud risk or compliance, a first-line responder, or someone with a passion for this space — we want to understand the top questions that you can’t easily answer today.