Business & Technology

The Impact of Complexity on Organizations Over Time—and How SMBs Can Prevent It

By Joel Boyd | October 18, 2021
SMBs Cybersecurity Challenges

SMB's Need Better Advice

SMBs need good data to make decisions. The problem is that most research is focused on the enterprise segment. And when you do find an SMB-focused survey, it often lumps together organizations with less than a hundred employees with those with more than a thousand. But when it comes to running a small business, one size does not fit all. So, when we set out to create a new SMB survey on cybersecurity challenges, we knew we had to go about it differently if we wanted data that could really help. That’s why, when Fortinet surveyed IT decision-makers (ITDMs) across the US on the top issues they face when buying and managing cybersecurity, we segmented their responses based on the number of employees in their organization: 150-250, 250-500, 500-1000, 1000-1500. 

By studying the responses from organizations of different sizes, we uncovered general issues all SMBs face when securing their networks and critical trends that develop as organizations grow from a small startup to a much larger company. And with that insight, we can recommend a better way forward so smaller organizations can avoid some of the pitfalls experienced by those further along in their growth. Below are some highlights and thoughts from that survey. To learn more, you can find the SMB report e-book here.

What are the Challenges of Dealing with Cybersecurity for SMB's?

One clear trend we uncovered is that organizations tend to grow their security infrastructure taking a best-of-breed approach. And as a result, as new security devices are introduced, they become increasingly difficult to manage. And this problem never ends. Enterprises (to be fair, let’s call them very large enterprises) have an average of 45 security tools in place, most from different vendors. And each incident they respond to requires coordination across 19 different solutions. 

Now obviously, small businesses don’t have nearly this many security vendors in place. But the problems related to vendor and solution sprawl can ratchet up pretty fast. How large is your business? Do you use more than four security companies? Because over half of companies with more than four security vendors report that troubleshooting issues between products is a significant challenge. And isolated security systems can’t see and actively share threat intelligence, correlate data to find indicators of compromise, or automatically launch a coordinated response to a detected threat. As a result, cybercriminals often operate their attack chain without much interference—breaching networks, establishing a foothold, escalating privilege, moving laterally, launching malware, and extracting data. Complexity is why the average time to detect malicious activities is now measured in months.

But many smaller companies making security purchases don’t see the impact their decisions may have down the road. And by the time they do understand, they have built themselves into a corner.

How did we Get Here?

Most enterprise organizations have size, advanced security ecosystems, and large teams of seasoned IT professionals on their side. But because their security environments grew over time, even those organizations suffered from vendor sprawl, much of it left over from when they were smaller and weren’t thinking down the road. One of the most common complaints I used to hear is about the challenge of managing such a complex security environment. And in fact, that complexity is often the real source of a lot of their problems, such as their inability to see or respond to threats. But at that point, it was way too late to rethink their security strategy without spending a lot of time and money fixing a problem they had inadvertently created. The best approach is to nip this in the bud.

Today’s business growth is tied to technology. And fortunately for SMBs, advanced technologies traditionally out of their reach are now readily available. But rather than having a cohesive infrastructure development strategy, our research shows that smaller organizations tend to purchase new products on top of old ones and just build workaround upon workaround. That may work when you only have a couple of solutions in place. But fast-forward a few years, when you’re approaching enterprise size, and the single issue that consumes the biggest share of your time will be trying to manage the complex network of disparate vendors you have in place.

Lessons Learned

Today, as I interact with SMB organizations, I frequently hear them share their belief that their business isn’t ready for a fully integrated and scalable security strategy. And that they’ll upgrade later when it is. It’s probably the same argument their enterprise peers made when they were that size. The ones who now complain about complexity. And on the surface, I can see their point. Resources are limited, and the best option may seem to be, buy what you need now and worry about tomorrow, well, tomorrow. But the fact is, upgrading later is rarely an effective strategy, especially with how fast technology is changing and organizations are expanding. Do small businesses consider the gaps that lie between expectations and reality?

The answer? According to our research, development plans simply don’t keep pace with business needs or technology adoption. Most organizations at the lower end of our survey believed their technology would support them for two to four years. But in fact, they ended up adding new products every one to two years to fill gaps. And they then had to build workarounds to support their previous investments. Keep doing this across multiple vendors, and suddenly the dream of a streamlined, integrated, automated system is gone. As a result, we found that a staggering 44% of companies with more than ten security vendors spend between 40% and 50% of their time troubleshooting interoperability.

Hindsight is 20/20

We finished our survey by literally asking, “If you knew then what you know now, what would you have done differently?” And we gave folks a chance to pick their top three. While “selecting vendors more carefully” was the least picked top choice for businesses with 150-250 employees, it was the most chosen number one answer by those with over 1000 employees. Even more eye-opening, 61% of companies with more than 1000 employees admitted that they would have focused on a single vendor rather than a multi-vendor approach if given a chance to do things differently. And the other data in the report bears that out—as soon as companies broke past 1,000 employees, they began to reverse course and consolidate vendors.

For SMB's, Products Designed Together Work Better Together

Fortinet is the only vendor to truly deliver a single security platform where almost everything is built using the same underlying code. And that matters because without a lot of customization and adding “helper products”—solutions used to fill feature gaps or connect isolated point products—you just don’t get the integration and automation you need to effectively stop modern attackers. Even vendors with a broad portfolio of products—even those who had initially taken an organic growth approach—lose that “native” integration advantage as they begin to grow through acquisition without the necessary integration. Eventually, they just become a single source for the same complexity you used to buy from multiple vendors. And customers invariably suffer.

As smaller businesses adopt new technologies and business strategies, they need the same protection as their larger counterparts. Their challenge is that they don’t have the same access to resources as their enterprise competitors. But maybe they shouldn’t have to. Maybe, cybersecurity should be more affordable, maybe SMBs should be able to get everything they need from a single vendor, and maybe not at the price of losing performance, interoperability, and functionality as they grow.

To learn more about the cybersecurity solution challenges facing SMBs, read our recent report, Avoiding Complexity: The Impact Complexity Has on Organizations Over Time and How SMBs Can Prevent It.

Click here for more information about Fortinet’s suite of integrated security and networking solutions designed for today’s SMB organizations.

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.