Recently, our team has been looking back through our projects over the last few years to identify trends and uncover interesting metrics. One of the key research areas was to understand why organizations have reached out to us to seek cyber security support.

We wanted to share the insights from our research in the hopes that it can help you understand when the time is right to engage a cyber security company for help.

When To Reach Out About Security

Growth

As organizations grow, so does their digital footprint. A growing number of employees, accounts, and services means that attackers have a growing list of would-be targets. And as the number of staff grows, so does the range of experience with technology and cyber security matters - not all staff members will be able to identify and communicate potential threats.

We’ve engaged with many organizations who are growing, some experiencing 400% growth over the course of a couple of years. These organizations looked to us to help them implement the security technology, policies, and processes that keeps their organization secure and provides secondary benefits like a more smooth (and secure) employee onboarding.

Complexity

Related to growth is the topic of complexity. Many of our customers found that as their teams grow, that they also needed to onboard new software and methods for collaboration. Adding new tools adds complexity to the organization’s IT environment and creates additional avenues for attackers to focus their resources.

As an example, one of our customers rapidly stood up new software-as-a-service tools to support their growing team and customer base. New tools like Salesforce and Slack were implemented with a focus on operational benefits but they knew they needed cyber security expertise to ensure that their new productivity tools didn’t risk organizational data. We worked with the client to identify their critical software applications, evaluate their vulnerabilities and configuration, and make the right changes that improve security without interfering with the staff’s ability to get the most out of the tools.

Legal and Contractual

The most common first engagement we have with new partners is the NIST Cybersecurity Framework Assessment. We hold a series of workshops to uncover cyber security gaps and perform technical reviews to provide a cyber security improvement roadmap. One of the key questions we ask in the first workshop is “what is driving your need to improve security?”. It’s becoming more and more common that our partners explain that they have legal or contractual requirements that stipulate that they must implement security best practices.

One of our nonprofit partners told us that one of their Fortune 500 donors required them to fill out an extensive cyber security questionnaire before they would make donations. The nonprofit wouldn’t have been able to meet many of the guidelines from the security questionnaire, and as such, reached out to our team to help build them an improvement plan and then implement it. For more on filling out cyber security questionnaires, check out this post.

Another customer, a small team focused on digital transformation, won a contract with a Fortune 10 company. After they were selected, their client required them to provide information about their cyber security posture. Because our customer had large gaps in their cyber security capabilities, processes, and technology the Fortune 10 company put the contract on hold.

Ongoing Security Incidents

The most heartbreaking and stressful way that organizations get in touch with us is when they are under attack and currently experiencing an incident. This can be a challenge because we don’t have the underlying knowledge of the customer’s business and IT environment nor do we have all of our security tooling in place. Nevertheless, we are able to rapidly respond to kick off a cyber incident response project to remove the attacker and help their organization recover. 

These incident response projects can be costly - hours spent performing incident response, interruptions to business operations, and real threats to reputation add up. We know from cyber security studies from the Ponemon Institute and others that proactively investing in security can save up to 82% of the costs of reactively responding to an attack.

Previous Security Incidents

Many organizations that experience an attack just cross their fingers hoping they won’t get attacked again, but more strategic organizations think critically about the impact of the attack to their operations and the pain it caused. When these organizations think strategically, they reach out to organizations like ours to help review the attack, assess the current state of security at the organization, and build a plan for improvement. 

My Boss Said That Cyber Security Is A Priority

Sometimes organizations that get in touch with us do so because their leadership sees cyber security as a priority. The leadership in these organizations typically has at least some understanding of the risk of cyber attacks to the organization and has made a strategic decision to improve their security posture.

When there’s a top-down decision made to improve security, we’ve observed that our roadmapping and implementation projects are more broadly adopted by the organization and security measures are more consistent. We see impressive decreases in vulnerabilities in the IT environment as well as laudable performance in cyber security training and phishing simulations.

Wrapping Up

So, to wrap it up, our research revealed why organizations seek cyber security support. When companies grow, their digital presence expands, and attackers have more targets. New tools and software add complexity, which can lead to missed vulnerabilities. Legal and contractual requirements also drive the need for security improvements. Ongoing or previous security incidents show the value of proactive measures. And when top leadership makes security a priority, we see remarkable improvements across the board. By understanding these reasons, organizations can act wisely and engage cyber security experts to protect their operations and reputation. If you are interested in getting in touch with us about cyber security, get in touch with us here.