The cybersecurity industry has a marketing problem, and it's making your job harder. Every vendor pitch starts with fear. Breach statistics. Ransomware horror stories. The implication (sometimes stated outright) that your organization is one click away from catastrophe and only their product can save you. The trade press amplifies it. The conference circuit runs on it. And the result is that most CEOs either overspend on security theater or, overwhelmed by the noise, do too little and hope for the best.
Neither response is useful. What a CEO actually needs is a clear-eyed understanding of the real risks facing their specific organization, a proportionate set of controls that address those risks without paralyzing the business, and enough knowledge to ask the right questions of the people managing security on their behalf. That's what this article is about.
The actual threats facing organizations your size
If you run a mid-market organization (50 to 2,000 employees, operating in commercial sectors) your threat profile is fundamentally different from the organizations that make the news. The Financial Times writes about nation-state attacks on critical infrastructure and advanced persistent threats against defense contractors. Those stories are real, but they're not your problem.
Your actual risk profile is dominated by opportunistic attacks. Automated scanning for known vulnerabilities. Phishing campaigns sent to millions of email addresses, including yours. Credential stuffing using passwords leaked from breaches at other organizations. Ransomware gangs that don't target specific companies but exploit whoever has the weakest defenses.
This is simultaneously good news and bad news. The good news is that you don't need the security budget of a bank or a defense contractor. You're not defending against bespoke attacks from well-funded adversaries. The bad news is that the bar for "good enough" security is higher than many organizations realize, because the automated attacks are relentless and they will find your weaknesses if you have them.
The practical implication: your security posture doesn't need to be perfect. It needs to be better than the average target. Opportunistic attackers, by definition, move on to easier targets when they encounter reasonable defenses. The analogy of the two hikers and the bear applies: you don't need to outrun the bear, you need to outrun the other hiker. In security terms, you need to be a harder target than the organization next door.
The risks that actually matter
Phishing and social engineering. This is the number one attack vector for mid-market organizations and has been for over a decade. Not because people are stupid, but because phishing attacks have become remarkably sophisticated. A well-crafted phishing email, sent to someone in finance who's expecting an invoice, is almost indistinguishable from a legitimate message. Business email compromise (where an attacker impersonates a CEO or a supplier to authorize a fraudulent payment) causes more financial damage to mid-market organizations than all other cyber attacks combined.
The defense isn't primarily technical. Spam filters and email security gateways help, but they'll never catch everything. The defense is a combination of technical controls (multi-factor authentication, email authentication protocols like DMARC, conditional access policies that restrict what a compromised account can do) and process controls (verification procedures for payment changes, dual authorization for significant transactions, a culture where questioning suspicious requests is expected rather than awkward).
Credential attacks. Password reuse is endemic. Your employees use the same password for their work account, their personal email, their Amazon account, and a dozen other services. When one of those services is breached (and they are breached constantly) the credentials end up in databases that attackers use for automated login attempts against corporate systems. If an employee's work password is in one of those databases and they don't have multi-factor authentication, the attacker is in.
This is the single most impactful security investment most organizations can make: universal multi-factor authentication. Not just for email and VPN, but for every cloud service, every SaaS application, every administrative interface. MFA doesn't make credential attacks impossible, but it makes them an order of magnitude harder, and that's usually enough to make the attacker move on.
Supply chain risk. Your security posture is only as strong as your weakest supplier's. The SolarWinds attack in 2020 demonstrated this at scale, but the principle applies to every organization that uses third-party software, managed services, or cloud platforms. A compromised update from a software vendor, a breach at your IT managed service provider, an insecure API from a SaaS supplier. These are all ways that someone else's security failure becomes your incident.
Managing supply chain risk doesn't mean auditing every vendor to SOC 2 standards (though for critical suppliers, you should). It means understanding which suppliers have access to your data and systems, ensuring that access is limited to what they need, monitoring for unusual activity from third-party connections, and having a plan for what happens when a key supplier is compromised.
Ransomware. Ransomware remains a real threat, but the defense is not primarily about preventing the initial infection (though that matters). The defense is about limiting the blast radius when an infection does occur and ensuring you can recover without paying. Network segmentation that prevents lateral movement. Backup systems that are isolated from the production network and regularly tested. Incident response procedures that the team has actually practiced, not just read in a document.
The organizations that recover from ransomware quickly are the ones that invested in backup infrastructure and tested their recovery procedures before the attack. The ones that pay the ransom are typically the ones that had backups on the same network as their production systems, or that had never actually tested whether their backups could restore a full environment.
The risks that get more attention than they deserve
This section will irritate security vendors, but it needs to be said. Not every threat deserves equal attention, and the security industry has a financial incentive to make every risk sound existential.
Nation-state attacks. Unless you operate in defense, critical national infrastructure, or high-value intellectual property, the probability of being specifically targeted by a nation-state actor is negligibly small. You might be caught in the blast radius of a broad campaign (like SolarWinds), but that's a supply chain risk, not a targeted attack. Spending significant budget on "advanced threat protection" designed to detect nation-state tactics is disproportionate for most commercial organizations.
Zero-day exploits. A zero-day is a vulnerability that hasn't been patched yet because the vendor doesn't know about it. They're real, they're dangerous, and they're overwhelmingly used against high-value targets. The vast majority of successful attacks against mid-market organizations exploit known vulnerabilities that have had patches available for months or years. Patching what you know about is far more valuable than worrying about what you don't.
Insider threats. Yes, employees can steal data or sabotage systems. But for most organizations, the insider threat risk is managed proportionately through basic access controls (people only have access to what they need), monitoring (unusual data access patterns generate alerts), and good management practice (people who feel valued and treated fairly are less likely to act maliciously). Building a surveillance culture around insider threats creates more problems than it solves.
What proportionate security looks like
Proportionate security means spending an amount of effort and money that's appropriate to the actual risks facing the organization. It means accepting that perfect security is impossible, and focusing resources on the controls that deliver the most risk reduction per unit of investment.
For a mid-market organization, proportionate security typically looks like this:
Identity and access management. This is the foundation. Multi-factor authentication everywhere. Conditional access policies that restrict where and how people can access corporate systems. Regular access reviews to remove permissions that are no longer needed. Privileged access management for administrative accounts. If you do nothing else on this list, do this. Identity compromise is the root cause of most successful attacks.
Patch management. A disciplined process for applying security patches to operating systems, applications, and firmware. Not instantly (testing patches before deploying them to production is reasonable) but within a defined window. Critical patches within 72 hours. Everything else within 30 days. Automated where possible. Tracked and reported so you know what's patched and what isn't.
Backup and recovery. Backups that are isolated from the production network (so ransomware can't encrypt them). Regular backup testing. Not just verifying that the backup job completed, but actually restoring from backup to prove the data is intact and the recovery procedure works. A documented recovery plan that includes recovery time targets for critical systems. The question isn't "do you have backups?" It's "have you tested a full restore in the last 90 days?"
Email security. DMARC, DKIM, and SPF configured correctly to prevent email spoofing. An email security gateway that filters known phishing and malware. User awareness that's practical and specific (not annual compliance training that everyone clicks through). A clear process for reporting suspicious emails, and a response team that actually investigates the reports.
Endpoint protection. Modern endpoint detection and response (EDR) on all corporate devices. Not the antivirus software from 2015 that scans for known malware signatures, but a current EDR platform that monitors behavior and can detect and contain threats that signature-based tools miss. Microsoft Defender for Endpoint, CrowdStrike, SentinelOne. The market has mature, capable products. Pick one and deploy it everywhere.
Network segmentation. Not every system needs to talk to every other system. Segment the network so that a compromise in one area can't easily spread to others. Keep management interfaces on separate networks. Isolate guest WiFi from corporate systems. Put IoT devices on their own VLAN. These are basic architectural decisions that dramatically limit the blast radius of a successful attack.
Cyber Essentials and ISO 27001: what they mean and don't mean
Cyber Essentials is a UK government-backed scheme that certifies organizations against five basic security controls: firewalls, secure configuration, user access control, malware protection, and patch management. It's a low bar. Deliberately so. The intent is to ensure organizations have the minimum viable security posture to defend against common attacks.
Cyber Essentials certification is increasingly required for government contracts and is becoming a baseline expectation for commercial contracts too. It's worth having, and for most organizations, achieving it requires modest effort. The Plus variant, which includes an independent technical assessment rather than self-certification, provides meaningful assurance that the controls are actually in place.
What Cyber Essentials doesn't mean: that you're secure. It means you have the basics in place. It doesn't cover incident response, backup and recovery, supply chain risk, or security awareness. It's a floor, not a ceiling.
ISO 27001 is an international standard for information security management systems. It's comprehensive, covering everything from risk assessment to access control to incident management to business continuity. Achieving ISO 27001 certification requires significant investment in documentation, processes, and audit. Typically six to twelve months of dedicated effort for a mid-market organization.
ISO 27001 is valuable because it forces organizations to think systematically about security rather than implementing controls ad hoc. The risk assessment process, in particular, drives proportionate security spending by requiring organizations to identify their actual risks and implement controls that address them. It also provides external assurance to clients and partners that the organization takes security seriously.
What ISO 27001 doesn't mean: that you're immune to attack. The standard requires a management system and a risk-based approach to controls. It doesn't prescribe specific technical measures. An organization can be ISO 27001 certified and still have weak technical controls if their risk assessment concluded that those controls weren't necessary. The certificate means the process is sound, not that every technical base is covered.
For most mid-market organizations, the pragmatic path is: Cyber Essentials Plus as an immediate baseline, followed by ISO 27001 when the business case justifies it (usually when clients or regulators start requiring it). Don't pursue ISO 27001 for vanity. It's an ongoing commitment that requires annual surveillance audits and continuous process maintenance. If you're not going to maintain it properly, the certification becomes a liability rather than an asset.
When to hire a CISO
The Chief Information Security Officer role has become the default answer to "who owns cybersecurity?" But for mid-market organizations, a full-time CISO is often a premature hire that creates as many problems as it solves.
A competent CISO commands a senior executive salary. For that investment, you get one person who needs a team beneath them to implement anything. A CISO without a security team is a strategist without an army. They can write policies and risk assessments, but the actual security work still needs to happen somewhere.
For organizations with fewer than 500 employees, the math rarely works. You need security leadership, but you don't need it forty hours a week. You need someone who can set strategy, manage risk, advise the board, and oversee the operational security work that's done by your IT team or your managed service provider. That's two to four days per month, not a full-time role.
This is where the fractional security model (a senior security professional working with your organization on a retained, part-time basis) makes sense. The fractional CISO (or virtual CISO, or security advisor, whatever you want to call the role) provides the strategic security leadership at a fraction of the cost, with the added benefit of cross-organization experience. Someone who manages security across multiple organizations has seen more attack patterns, more vendor products, and more failure modes than someone embedded in a single company.
The trigger for a full-time CISO hire is usually one of: the organization exceeds 500-1,000 employees and the security workload justifies a dedicated leader; the organization operates in a heavily regulated sector where a named CISO is a regulatory requirement; or a significant security incident has demonstrated that the organization needs continuous, dedicated security leadership rather than periodic guidance.
Until one of those triggers fires, the fractional model gives you the strategic oversight without the overhead. And when the time comes to hire full-time, the fractional CISO often helps define the role, recruit the candidate, and ensure a smooth transition. Much like the fractional CTO model in broader IT leadership.
Security governance at board level
Cybersecurity is a board-level risk. This isn't a platitude. It's a legal reality. Directors have a duty of care that includes overseeing the organization's approach to information security. Regulatory frameworks increasingly require board-level accountability for cyber risk. And when a breach happens, the first question from regulators, insurers, and litigators is "what did the board know, and what did they do about it?"
Effective board-level security governance doesn't require the board to understand the technical details. It requires them to understand the risk profile, the organization's posture relative to that risk, and the investment being made to manage it. This means regular reporting (not annual) in language that board members can act on.
Good security reporting to the board includes: the top risks facing the organization and how they've changed since the last report; the status of key security controls (MFA deployment, patch compliance, backup test results); any incidents or near-misses and the lessons learned; the security investment relative to industry benchmarks; and any emerging risks or regulatory changes that require board attention.
Bad security reporting is a dense technical document full of vulnerability counts, CVSS scores, and firewall statistics that nobody outside the security team can interpret. If the board needs a translator to understand the security report, the report has failed.
The CEO's role in this is setting the tone. Security governance works when the board takes it seriously, asks informed questions, and holds management accountable for the security posture. It fails when cybersecurity is a standing agenda item that gets five minutes at the end of a long meeting, or when the board treats it as "an IT thing" and delegates it entirely.
The basics that actually matter
If you take one thing from this article, let it be this: the basics matter more than the advanced capabilities. An organization with excellent fundamentals (strong identity management, disciplined patching, tested backups, trained users) is more secure than an organization that has bought every advanced security tool on the market but hasn't deployed MFA consistently.
The security industry doesn't like this message because the basics aren't exciting and they're not expensive. There's no trade show booth for "we help you patch your servers on time." But the data is unambiguous: the majority of successful cyber attacks exploit gaps in fundamental security controls. Unpatched systems. Weak or reused passwords without MFA. Unmonitored administrative access. Backups that weren't tested. Users who weren't trained to recognize phishing.
Get the basics right before you invest in anything advanced. If your MFA deployment is incomplete, don't buy a SIEM. If your patching is inconsistent, don't buy threat intelligence. If your backups haven't been tested, don't buy a breach detection tool. The advanced capabilities are genuinely valuable. For organizations that have the fundamentals in place. For everyone else, they're expensive distractions from the work that would actually reduce risk.
Cybersecurity doesn't have to be driven by fear. It should be driven by a clear understanding of the risks facing your organization, a proportionate set of controls to manage those risks, and a governance structure that ensures the board is informed and accountable. The vendors want you scared. What you actually need is informed, proportionate, and disciplined. That's less dramatic than the vendor pitch, but it's a lot more effective.