Stanley "Stash" Jarocki is used to getting plenty of attention. Once the VP of IT security at Morgan Stanley, Jarocki knows what it's like to manage a staff of dozens at a Fortune 50 company that spends millions of dollars on technology. When he called a vendor, the vendor answered. Quickly. "I'd pick up the phone, and the company—service provider, hardware provider, software provider—would be in the door tomorrow, today," Jarocki says.
But that was then. Jarocki has had to change his tactics and expectations now that he works in one of the trickiest spots in security: right in the middle. He is senior VP and information security officer of New York City–based Bessemer Trust, a privately held wealth management company with $40 billion in assets and just 600 employees. When it comes to infosec, analysts say, working at this size company can be the worst of both worlds.
"The companies are often big enough to be targets, but not necessarily big enough to have the staff and the budget to do security well," says John Pescatore, a vice president at the analyst firm Gartner. "They often don't have strong IT discipline, and that causes all sorts of security problems. But they're big enough to be targets of cybercrime—somebody saying, Let me go after this plumbing supply company. It's not so big, but maybe I can find a credit card file." What's more, midsize organizations may face the same bevy of regulators as big companies.
But the little guys—that is, companies with revenue between $100 million and $1 billion—are being forced into getting better at security. And the best among them have tips about managing security on a budget that even CISOs with gargantuan budgets could learn from. Here are three ways they're doing more with less.