Why enterprise IT security is the reason we all keep getting hacked

August 09, 2016

A friend of mine, who is a child of 1st generation immigrants to the United States, was living the American dream. She had established herself as a top tier IT leader and was traveling the globe working for some of the most successful IT and security companies in Silicon Valley. So why would she leave her high profile job and jet-setting lifestyle to work with mid-market firms in places like Idaho and Utah?

Why would she leave her high profile job and jet-setting lifestyle to work with mid-market firms in places like Idaho and Utah?

The short answer is that enterprise sales strategy is starving mid-market firms of the technology and expertise they need, and as my friend realized, in order to secure the enterprise, you must also secure the mid-market.

Starving For Technology and Expertise

You are the CIO of a mid-market healthcare organization and just heard about a peer’s data breach (they were fined $5.5 MM for it). The board tasked you with beefing up your compliance with HIPAA as well as a host of other risk mitigating strategeis. You discover a requirement about managing your vendors, the weak point in your HIPAA compliance, and begin looking for software solutions.

As a mid-market firm, you are already operating with highly constrained resources and have a budget of $50k to manage your 100 most critical vendors ($500 / vendor). You check Gartner and other resources to figure out who to procure, and start making phone calls — and this is where it begins to fall apart because the most legitimate solution providers qualify-you-out after the first call…

There are multiple reasons, but one of the key factors is the current state of enterprise sales strategy, where the best, enterprise grade SaaS technologies and consultants just can’t be bothered to pursue an account for less than $100,000 in annual contract value.

the best… just can’t be bothered to pursue an account for less than $100,000

After getting qualified-out by the “enterprise” solution providers , you eventually find some inadequate tools and junior consultants, but you don’t have junior consultant problems, you have enterprise level problems. In time and desperation, you close your RFPs and task your internal teams to get it done, but they are only partially effective, leaving your organization exposed to serious data breaches and the associated regulatory risks that got your peer sued for $5.5 million.

Isn’t it ironic?

Ironically, many of the same mid-market firms that are unable to provide enterprise grade IT, end up as 3rd party vendors for the larger enterprises. So while those large enterprises are building fortifications, ramparts, and moats to secure their data, they are also “punching holes in their castles” to enable 3rd party vendors to come in and out while performing their services. This is how Target got hacked, it is how Home Depot got hacked and it is where 80% of an enterprise’s vulnerabilities come from according to the Cyber Security Market Report by Cybersecurity Ventures. In the immortal words of Alanis Morissette, “Isn’t it ironic? Don’t you think?” (If you don’t get this reference, you just might be a junior consultant…)

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit: https://www.whistic.com.

cybersecurity data breach Article information technology startup

About the author

Andrew Watanabe
Andrew Watanabe

Chief Product Officer @ Whistic

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close