Midsize enterprises (MSEs) face the same types of threats as large organizations—ransomware, supply chain attacks, and other advanced threats—but they typically have fewer people, tools, and budget to address them. According to Gartner research cited in the article, only about 5% of an MSE’s overall IT spend went to security in 2021. On top of that, many midsize organizations don’t have a dedicated security leader; cybersecurity responsibility often sits with the CEO, CIO, or another business leader who is already juggling broader IT and business priorities. Most MSEs also lack dedicated cybersecurity staff. Gartner’s data shows that a dedicated security role usually doesn’t appear until the IT team reaches at least 21 people. Until then, generalist IT staff are expected to handle security on top of everything else. This combination—limited budget, small teams, and shared responsibilities—makes it harder for MSEs to: - Keep up with evolving threats - Maintain 24x7 monitoring - Meet regulatory and customer security expectations Despite these constraints, the article emphasizes that MSEs can still build effective protection by being intentional about how they structure roles, invest in training, and use external partners to fill gaps.

For midsize enterprises, the key is to treat security as a shared responsibility across the IT team and to assign clear role-based responsibilities, even if people wear multiple hats. The article recommends identifying internal team members who can take ownership across five critical security categories: 1. **Security governance and risk** Focus areas: policy and strategy development, security education and training, and business continuity management. 2. **Security architecture and engineering** Focus areas: platform, application, and data security, plus vulnerability management. 3. **Identity and access management** Focus areas: account governance and administration, access management, and related analytics. 4. **IT operations and administration** Focus areas: patch management, system administration, and user provisioning. 5. **Security operations and monitoring** Focus areas: monitoring and detection, incident response, threat hunting, vulnerability assessments, and penetration testing. In a typical MSE, one person may cover several of these areas. The article suggests investing in targeted training for staff in these categories. This helps: - Improve day-to-day security processes - Close skill gaps that MSE CIOs frequently cite as their top technology challenge - Support IT talent retention by giving staff clear growth paths By deliberately mapping responsibilities to these five categories and upskilling existing staff, MSEs can reimagine their security program without needing a large, specialized team.

Running a 24x7 security operations center (SOC) in-house is rarely realistic for midsize enterprises. The article notes that you typically need at least 8–12 security analysts to operate a round-the-clock SOC, which is beyond the reach of most MSE budgets and staffing models. To address this, the article recommends that MSEs consider: - **Managed Security Service Providers (MSSPs)** - **Managed Detection and Response (MDR) services** - **Endpoint Detection and Response (EDR) providers** These partners can handle resource-intensive monitoring and incident response, complementing your internal, role-based security approach. In many midsize environments, contracting a managed service provider can cost less than hiring one senior full-time security employee. When selecting an MSSP, the article suggests looking for providers that: - Offer managed security services specifically for your organization, governed by a negotiated contract rather than a generic click-through agreement - Commit to clear deliverables and service-level agreements (SLAs) - Augment your internal operations team, which will require some level of access to your corporate network - Operate a technology stack from their own premises or the cloud (and, if needed, can also support a dedicated stack on your premises) - Provide meaningful human interaction, not just automated alerts Beyond outsourcing, the article also highlights the importance of MSE CIOs following practices of effective CISOs in larger organizations: building strong relationships with senior leadership, focusing on future risk, and designing the workforce around diverse competencies. This combination of internal leadership and external support helps MSEs strengthen their security posture within realistic budget and staffing limits.