Cybersecurity for mid-sized companies: from awareness to strategic structuring

Mid-sized enterprises (ETIs), defined by a workforce of between 250 and 5,000 employees and annual revenue not exceeding €1.5 billion, have crossed a threshold in recent years in terms of cybersecurity. Their strategy in this field is no longer a project to be initiated, but a program already underway in the majority of organizations. This is at least the view of Alain Bouillé, General Delegate of CESIN: “Recruitment of CISOs is increasing and the cybersecurity function is becoming more structured. This dynamic is driven both by upcoming regulatory pressure, notably NIS2, and by growing exposure to cyberattacks. The challenge is no longer to convince organizations of the need to act, but to raise the level of maturity,” he states.

A level of maturity that ETIs need not be ashamed of. According to the panorama of cybersecurity maturity among French companies published by CESIN and CyberVadis, large enterprises achieve an average maturity score of 865, followed by ETIs (762), SMEs (694) and micro-enterprises (647).

ETIs: focusing on pragmatic choices and decisions

Despite this more than respectable level of maturity, ETIs build their cybersecurity strategy in an organizational and budgetary in-between. With greater resources than SMEs but far from the capacities of large groups, they face increasing demands from clients and partners, without always being able to easily pass on the associated costs. The dominant logic is therefore one of informed choice and risk targeting. “For an ETI, the challenge is to adopt a pragmatic approach based on assessing the risks that are genuinely likely to affect its stakeholders. This analysis must make it possible to calibrate security investments in line with economic constraints and commercial balance, while maintaining a level of protection deemed acceptable in light of the business and commitments to clients,” comments Laurent Petit, Group CISO at Everial.

On the budget side, resources are generally aligned with the expected level of maturity, with investments typically following awareness. “In many ETIs, the share of the cyber budget represents between 5 and 10% of the IT budget, an order of magnitude comparable to that observed in larger organizations, even if absolute volumes remain lower. Difficulties mainly arise when the company has to catch up on accumulated delays. But when security is integrated from the outset into digital transformation projects, the financial effort remains manageable,” analyzes Alain Bouillé.

In the particular case of an SME growing into an ETI, the transformation it undergoes is not always easy to grasp. “The transition from SME to ETI marks a shift in cyber governance. As the company grows, stakeholder expectations increase. Cybersecurity must then be integrated into the company’s overall strategy. This translates into formalizing a cybersecurity strategy aligned with business objectives, implementing broader risk analyses, developing a security master plan and explicitly managing residual risk, notably through insurance,” notes Laurent Petit. This structuring, however, remains uneven among ETIs, many of which still lack dedicated teams.

An intermediate size as a real lever for agility

For Alain Bouillé, however, the intermediate position of ETIs is above all an advantage. “ETIs do not have the resources of large groups, certainly, but they benefit from greater organizational agility. The deployment of technical measures such as EDR or multi-factor authentication can be carried out more quickly, with fewer organizational or social constraints,” he argues. The “intermediate” size of ETIs thus facilitates shorter decision cycles and faster operational implementation, provided that management has internalized cybersecurity challenges.

In many ETIs, cybersecurity is primarily viewed as a business lever rather than a cost center. “Faced with the need to align security measures with commercial and operational stakes, ETIs aim to facilitate sales, reassure clients and support growth. In this logic, the cybersecurity function positions itself at the service of business units, on a model close to the evolution of IT departments: understanding operational needs, contextualizing measures and internal pedagogy,” observes Laurent Petit. The role of the CISO is therefore no longer solely to forbid or block, but to arbitrate and support.

The driving role of regulation

Finally, the experts interviewed converge on the same analysis: regulation and sectoral obligations act as maturity accelerators. “Constraints stemming from regulations, standards or client requirements push ETIs to structure their systems. Recent financial penalties and the rise of frameworks such as NIS2 reinforce this dynamic. Anticipating a gradual extension of these obligations to smaller companies encourages ETIs to prepare now,” believes Laurent Petit.

Alain Bouillé adds: “Pressure from the value chain acts as a structuring lever. ETIs, often suppliers to large groups, are increasingly subject to contractual security requirements. The rise of supply chain attacks strengthens these expectations. Prime contractors demand guarantees, which mechanically pushes ETIs to raise their level of protection. This pressure adds to that of regulators and cyberattackers themselves.”

In summary, ETIs’ cybersecurity strategy is characterized by a pragmatic approach, constrained by resources but structured by growing requirements. It rests on constant trade-offs between compliance, risk management and support for growth strategy. One thing is certain: awareness is firmly established, resources are increasing, and organizational agility constitutes a real advantage. Regulatory pressure and that of the value chain are nevertheless likely to continue shaping the maturity trajectory of ETIs in the coming years.