Techaisle research shows that the US SMB spend on security (including managed security services) is likely to be US$8.4 B in 2017. Within the entire SMB (1-999 employees) segment it is easy to point to a lack of budget as a reason why US small businesses (1-99 employees) are not proactive when it comes to addressing security (or other IT) issues, but that may not be the whole problem, or perhaps even the greatest obstacle to small business adoption of security technology. Techaisle data illustrates, relative to midmarket (100-999 employees) firms, small businesses have limited internal IT security staff, are not generally working with a managed service provider capable of managing security needs, are about one-third less likely than larger peers to work with outsourcers delivering Security-as-a-Service, and are about 50% less likely to embrace external vendors’ software-based security solutions. While microbusinesses could theoretically pursue the same strategies that are used by larger competitors, they lack experience and skills needed to identify, deploy and manage the products and relationships used to develop shields protecting valuable corporate data, application and human assets.
In today’s SMB market, it is critical for vendors to build detailed understanding of the small and midmarket segments, and to align resources and strategies with requirements as SMBs move from initial experimentation with sophisticated solutions towards mass-market adoption. In SMB & Midmarket Security Adoptions Trends report, Techaisle analyzes 1,255 survey responses to provide the insight needed to build and execute on IT security strategies for the small and midmarket customer segments. Techaisle’s deep understanding of SMB IT and business requirements enables vendors to understand the ‘why’ and ‘when’ of solution adoption, current and planned approaches to solution use, the benefits that drive user investments, and key issues in aligning with buyers and building and intercepting demand.
The business context: IT Security solutions in the SMB market
Security is the most amorphous of IT market categories. Virtually all other technologies occupy a defined position within the solution stack: for example, in a collaboration or ERP solution, end-point devices access software via a network; the software is in turn housed in a data center or in the cloud; the software reads and writes to/from storage devices; the core application is integrated with other applications that either add to its capability (for example, by providing videoconferencing capability to a collaboration system, or by adding an analytics or reporting to an ERP package); information is backed up to other facilities to provide BC/DR capabilities. In each case, the technologies are assigned to a specific spot within the workflow or stack.
Security, though, needs to permeate all layers of the solution: it is used to protect the devices and their connection to the central application, to identify compromise (or malfeasance) of system users, and to safeguard the application itself; to protect the data both as it is in motion and when it is at rest; to build a shield around the data centre and the connections between applications; to provide assurance that backups and BC/DR systems don’t become points of exposure for sensitive information. IT security isn’t a discrete category – it is a ubiquitous factor in all aspects of IT/business infrastructure.
It was not always so difficult to position security within the IT firmament. For many years, businesses of all times took an IT security approach that was roughly analogous to the defense strategy in medieval Europe: they built a hardened wall around their most valuable assets, allowed entry only through a carefully-controlled portal (firewalls in IT networks, the drawbridge in castles).
The advent of mobility and cloud, like the introduction of cannons in medieval Europe, made traditional defense strategies obsolete. With mobility and cloud, there is no fixed perimeter to harden and defend – the edge shifts with the physical movement of each device-holding end-user, and the core assets are distributed between owned and as-a-Service facilities.
Security is no longer an attribute that is applied as a wrapper around the IT environment – it is a feature that needs to be present within each layer of the stack, comprised of various tactics and technologies that need to be integrated to ensure that they provide comprehensive coverage, that they do not leave holes between the various shields, and that they are able to respond to new threat sources as they arise.
Use of discrete security solutions within SMBs
The need for security as an integral part of each solution component has led IT vendors to embed security features in a wide range of offerings. This applies in varying degrees to different types of products and services. Conventional infrastructure products – traditional servers and applications – typically have some embedded security features, but require regular patches and updates. Mobile devices and applications have relatively limited inherent security capabilities, and often require specific policies and solutions. In the cloud, applications (ranging from Google Apps and Office365 to Salesforce and other enterprise-grade systems) and infrastructure (notably, IaaS platforms) tout security features as intrinsic attributes of their offerings.
For some businesses, especially microbusinesses with less than 20 (or even 10) employees, embedded security capabilities are seen as adequate, or at least, more advanced than what the users themselves could assemble and deploy. There may be some truth to the idea that microbusinesses lack the skills and tools to improve on embedded security capabilities, but most larger organizations take a more proactive approach to securing their IT environments. Techaisle survey demonstrates that while less than half of microbusinesses (and less than 30% of very small organizations) have currently deployed discrete security solutions, use of additional security products and services in midmarket e-size segments is at or about 90%, with 100% of firms with 500-999 employees reporting that they are currently using discrete security solutions.