Reading Time: 4 minutes

Our recent article centered on how IT departments can make the most of downtime. In compiling questions from our clients, we noticed that many were from individuals who do not have a technology background. In this article, we are going to discuss four common technology issues middle-market companies face, along with approaches to consider and resources that are available to assist those individuals who may not know what they do not know.

Lack of experienced IT leaders and analysts

As a middle-market firm, many of our clients’ businesses look a bit different than the blue-sky, ideally designed organizations more typical of larger companies. Many of our clients do not have dedicated IT business analysts whose job consists of thoroughly understanding business needs and defining technology solutions that align with those objectives. Numerous companies do not have a dedicated security function, and as a result, can find themselves in risky security postures with operational concerns having eclipsed the importance of understanding their technology risks. Many of our clients do not have dedicated IT leadership, and in many situations find themselves placing their overall technology strategy in the hands of their IT systems administrator who, while capable of supporting existing infrastructure, may not have the skills or experience to build an evolving technology function.

CFO is the same person as CIO / ISO

To continue building on the aforementioned issue of not having dedicated IT leadership, quite a few of our clients’ CFOs have found themselves responsible for the IT function within their organization, having inherited it in a somewhat de facto manner. In some circumstances this configuration can be effective, however as an organization grows and becomes more complex, specialized expertise is required in order to ensure the company is effectively utilizing its resources and building an IT function that properly addresses both the operational and security risks posed to the organization.

 IT resources dedicated solely to operational issues

Many less organized IT departments may be stuck having become essentially a firefighting function within the organization, spending most of their efforts responding to operational issues with little time left over to address other considerations. Placing operational requirements ahead of security concerns creates a real risk for any organization. Many times, responding to the pressures of daily operations where your end-users just need things “to work”, necessitates instituting quick-fix or stop-gap measures that may carry with them significant risks that an organization may not fully realize until it’s too late. We’ve seen many instances of this during the recent COVID-19 crisis as companies struggle to continue operations.

Security controls implemented are too rigid or lax

Not properly balancing your operational and security concerns can result in things quickly spiraling out of control, negatively impacting the end-user experience or even worse — the business’ ability to operate. If you implement security controls that are overly burdensome (or self-defeating), then it can create obstacles to your end-user’s ability to get their work done efficiently. If your controls are too lax, then you may open yourself up to a security incident that can result in the compromise, destruction or unavailability of your systems and data.

What can I do to solve these problems?

Here are just a few items to help get your hands around your security posture, IT service delivery effectiveness, current trends, and more.

  • Conduct a technology risk assessment – Assessing your technology risk is not a particularly stimulating or invigorating activity, but is a necessary component to help ensure that you are understanding and responding to “what can go wrong” in your environment. If it is your first time conducting this kind of assessment, it can be quite an undertaking. However, subsequent executions of the assessment tend to be much easier to complete since you will not be starting from zero. We recommend performing your assessment at least once per year, and more often if warranted, usually in conjunction with a significant change to your environment or processes. After you understand your current posture, you can make better informed decisions on how to deploy your resources and which safeguards may need to be implemented.
  • Conduct a needs analysis – It has been said that perception is reality and understanding how effectively your organization may be delivering technology services requires soliciting feedback across the board. The IT experience “on the ground” may be quite different for someone in accounting as compared to an end-user on your sales team. These activities focus around understanding to what degree your systems are supporting the business needs of your various end-users, and how effectively the systems accomplish this task. These projects can be quite eye-opening, and your end-users are an invaluable source of critical information which should be included in any department’s decision-making process.
  • Stay up to date on trends – there are many excellent sources of information online that can equip you to better handle the road ahead. There are lists of many of these available with a quick web search, but you will need to figure out which are the most appropriate for your situation. A few suggestions are: Security Weekly, Infosecurity Magazine, and
  • Get help from an expert – Some organizations may need help on the IT leadership or security front, yet may not have the need, or in some cases the resources, for an FTE in that position. One solution is to engage a fractional CIO (Chief Information officer) or CISO (Chief Information Security officer) to assist your organization on a part-time basis. These individuals can provide your organization with strategic guidance in areas such as IT strategy or risk management and are available at an attractive price point as compared to the cost of an FTE. In addition to assisting with items mentioned earlier in this article, these individuals can help ensure you properly address items such as: business continuity and disaster recovery, incident response, risk assessments, needs analyses, strategic planning, vendor management, and so on.


As with any discipline, there are many different IT specialties that exist. Technology generalists are a critical part of any IT strategy, and are also the unsung heroes that keep our world turning; however, be sure to augment their knowledge and capabilities by seeking out those with specialized knowledge, otherwise you may have a blind spot that goes unaddressed.

Please reach out to us with any questions or if you need help with your technology risk needs.

John Jamison

Technology Risk Services Consulting Principal

Email Me

Share This