I was in a conference room with the leadership team of a $180M manufacturer last spring when their CFO said something I've now heard from maybe a dozen executives: "Our audit came back clean. So we're good, right?"
They had passed SOC 2. They had answered the cyber insurance questionnaire. The line items were checked. And nobody in the room could tell me, with any specificity, whether an attacker could get into their environment. The CIO said it on the way out: "We don't really know."
That gap, between the paperwork and the reality, is where most mid-market companies are living right now. Not the Fortune 500 — they have CISOs reporting to the board and budgets to match. Not the small businesses running on shared spreadsheets, either — their attack surface is small enough to mostly be background noise.
The companies that keep us busy are in between: $50M to $500M in revenue, 150 to 2,000 employees, real infrastructure, real complexity, and a security program built more by accumulation than by design.
This is the mid-market cybersecurity gap. Same shape, different shop, almost every engagement we walk into.
The profile
When I say "mid-market" in this piece, I mean companies in that revenue band, typically 100 to 2,500 employees. You've got on-premises servers somewhere. You're running Microsoft 365 or Azure or both. You have remote workers, a mix of old and new applications, and an IT team of two to six people closing helpdesk tickets and managing the printer that keeps dropping off the network. They're being asked to own security on top of all of it.
You are exactly large enough to be worth ransoming. Your vendor list and supply-chain connections are worth exploiting. And you are not large enough to have built the security organization that threat level deserves.
Large enough to be a target. Too lean to be ready.
Mid-market companies have the budget, the complexity, and the attack surface of a real target. What they don't have is a security organization sized to match.
Why the market doesn't fit you
The big enterprise vendors — CrowdStrike, Palo Alto, the rest — design their platforms for organizations with a 24/7 SOC and a team of analysts running it. We deploy their tools at mid-market companies all the time. The tools are good. What's missing isn't the tool. What's missing is the team that was supposed to be operating it.
On the other end, the SMB-focused managed providers offer packaged services priced for a 20-person company with one server. When a $250M client of theirs calls about an OT network feeding their production floor, the call gets quiet. The provider isn't doing anything wrong — they're just out of their depth.
The result is what we see in nine out of ten mid-market environments: a stack of tools that weren't designed to work together, half-configured because nobody had time to finish them, operated by people whose actual job description doesn't include security. The IT director who built that stack was making the right decisions with the resources and time they had. The resources and time were never going to be enough.
What this looks like week to week
A few of the conversations we have on repeat.
The clean audit. We finished one at a $90M services firm last quarter. They passed. During the readout, the CIO walked me out to the parking lot and said: "I don't want to say it inside, but I'm not actually sure we're secure. The audit told me what I had to document. It didn't tell me whether anyone can get in." Compliance answers a different question than security does. Mid-market leaders mix them up because the industry has trained them to.
The tool graveyard. A few months back we were reviewing a $140M distributor's environment. EDR, SIEM, vulnerability scanner, cloud posture tool, MDR contract. On paper, fully covered. In practice, the EDR was throwing about 200 alerts a week and nobody had looked at the console in six. The MDR was emailing summaries that the IT lead acknowledged and filed, because there was no playbook for what to do when an email actually said something. The tools weren't the problem. Nobody had dedicated time to act on what the tools were telling them.
The board question. A CEO at a $200M company called us in October because his board had asked him three questions about cybersecurity he couldn't answer in the meeting. He wasn't uninformed. He read the news. He just didn't have the translation between his actual environment and the language his board needed to hear. We spent two weeks putting together a one-page posture statement. The security work hadn't changed. The legibility had.
The phishing click. A Director of IT at a regional services firm sat with me in March, two weeks after his CFO had clicked a phishing link. Modern phishing is good now. The click happened because the email was good, not because the CFO was careless. The training video from January didn't look anything like the email that actually landed. That isn't a training problem. It's a realism problem.
The salary math
Here's the part most mid-market leaders haven't worked all the way out on a spreadsheet.
A full-time CISO is $250,000 to $350,000 in salary, before benefits, bonus, or the recruiting fee to land one. Mid-level security analysts run $85,000 to $120,000. A 24/7 monitoring function — the kind that catches threats rather than emailing you about them in the morning — needs multiple analysts across shifts.
By the time you finish the math for a $200M company, you're looking at $600,000 to $1M a year in headcount alone.
Most leadership teams can't justify that number, even when they understand why they probably should. That math is the reason the gap persists, and it's also the reason the fractional model exists. A virtual CSO gives you the strategic seat — board reporting, risk decisions, vendor evaluation, incident leadership — without the full salary. A virtual security analyst keeps eyes on the environment without making you staff a SOC. For companies at this size, that's the program: you get the seat, you get someone watching the environment, you don't pretend to have a SOC you don't have.
Where to actually start
If you recognize your company in any of this, the work isn't mysterious. Most of it isn't expensive in the first six months. Here's what we'd push first.
Get an honest assessment from someone who isn't trying to sell you tools afterward. A vendor's "free scan" is a sales process. An independent assessment is not. You need a risk picture quantified by likelihood and business impact, not by which dashboard color-codes the most red.
Write the board document before the board asks for it. A one-page security posture document that says "here's what we do, here's what we know we're missing, here's the plan, here's the timing" is worth more in a boardroom than another platform purchase. If you can't write that document yet, that's the actual first project.
Build a vulnerability cadence, not a tool collection. Knowing what's in your environment, what's exposed, and what's being patched on a schedule beats any single product you'll buy this year.
Consider fractional leadership before you commit to a hire. Most $100M–$300M companies who tried to hire a CISO in the last two years either couldn't fill the seat or paid too much for someone too senior for the day-to-day work. Fractional gives you the seat now and lets the hire decision get smarter over six to twelve months.
Run a tabletop before you need one. Put your executive and IT team around a table and walk through a ransomware scenario for two hours. The first time you do it, you'll find the exact things that would break under real conditions. Better to find them on a Tuesday afternoon than at 3am on a Saturday.
Where this leaves you
The attackers aren't sorting their target list by org-chart maturity. They're sorting by what's hard to breach and what's easy.
Most mid-market companies, through nobody's fault in particular, are easier than they should be. They have the budget. They have the people who'd do the work. What they don't have is a partner who can run the program for them at their size.
Want a second opinion on where you stand?
An hour on the phone. I'll tell you what I see. No tools to sell. No scare-the-CEO playbook. Just a real conversation.
Start the conversation arrow_forwardDigital Elevation is a cybersecurity firm serving mid-market companies across 21 states. We work with companies that are too complex for SMB providers and too lean for enterprise pricing — security assessments, vulnerability management, vCSO services, and incident response.