Right-sizing security at 50 people

You are 50 people, the company is growing, and a vendor just walked you through a security platform. The dashboard was beautiful. It had a threat map with glowing lines arcing between continents, a feed of severity scores, and a slide promising visibility across your entire estate. The salesperson asked about your security operations center staffing model, and you nodded as if you had one.

You did not buy. Something felt off, and it was not the price, though the price was real. It was the shape of the thing. Every screen assumed a team you do not have: an analyst to watch the feed, a tuning engineer to quiet the noise, an incident commander for the playbook. The platform was built for a company with a security department, and you have a finance lead who also owns the laptops and a fractional technical lead who answers Slack at odd hours.

Here is the trap. The vendor sized the pitch to the biggest logo in the room, not to you. So you walk away feeling either reckless for passing or foolish for almost buying. Neither is right. What you need at 50 people is a real question with a real answer, and it is not the answer on that slide.

Enterprise security products are designed around a customer who has people. The product assumes someone will configure it, watch it, tune it, and respond to what it surfaces. That assumption is load-bearing, and it is usually unstated.

Look at what the glossy platform takes for granted:

• Staffing to operate it. A security information and event management (SIEM) tool produces a river of alerts. Industry analysis has long described alert fatigue and the staffing required to triage high alert volumes (reporting on security operations and alert fatigue, Dark Reading). Without analysts, that river is noise you pay to ignore.
• Specialists to interpret it. Threat intelligence feeds, severity scoring, and correlation rules assume a reader who knows which findings matter for your environment and which are background radiation.
• Coverage you may already own. Many of the capabilities in the pitch overlap with what is already in your Microsoft 365 and AWS subscriptions, sold back to you in a new wrapper.

A 50-person company can buy any of this. What it cannot do is staff it. The license is the cheap part of an enterprise platform; the operating model is the expensive part, and it is the part nobody puts on the slide. You would be buying a car with no one to drive it.

Strip the threat map away and the real list is shorter and less exciting. At 50 people, security is mostly a handful of controls operated reliably, on a schedule, by someone competent. That is the whole game, and it is boring on purpose.

Identity is the front line. Multi-factor authentication enforced everywhere, not just where it was convenient. Microsoft Entra ID can apply Conditional Access policies that block a sign-in from an untrusted device or risky location (Microsoft documents Conditional Access). Joiners get the right access on day one; leavers lose it the day they leave, every time.

Your cloud needs a watcher. If you run on AWS, Amazon GuardDuty is a threat detection service that monitors the account for suspicious activity (AWS documents GuardDuty). The capability ships with the account. What it lacks is a human who reads the findings, decides which are real, and acts before the finding becomes an incident.

And the work has to leave a record. When a customer's procurement team sends a security questionnaire, or an auditor asks for proof, the answer should come from how the environment is run, not from someone's memory at 11 p.m. None of this is glamorous. All of it is what stops the incidents that land on companies your size.

The reason the enterprise pitch feels wrong is that it answers the wrong question. It treats security as a product you select. At 50 people, security is work that has to happen, and the open question is who does it.

You have three honest options. Hire a security lead, which a 50-person company can rarely keep busy or pay at the level a good one expects. Spread the work across the people you have, which is how the questionnaire ends up answered at 11 p.m. and how the leaver still has access in March. Or have the work operated by people who run these environments all day, across many companies, using the tools you already pay for.

The expensive mistake at 50 people is not skipping security. It is buying an enterprise program you cannot operate and calling the dashboard coverage.

This is the founder's real want, under all the features: confidence that the work is getting done, not a wall of screens proving it could be. A platform you cannot staff gives you the screens and none of the confidence.

Go back to that demo and the threat map arcing between continents. The discomfort you felt was accurate. You were being shown a program built for a company with a security department, and you were quietly asked to pretend you were that company. You are not, and you do not need to be.

A 50-person company that runs the basics well, identity locked down, the cloud watched by someone who reads the findings, and a record that falls out of running things properly, is in better shape than a much larger one drowning in a tool it cannot operate. Right-sizing is not settling. It is matching the work to the company you are, today, with room to grow into more when more is genuinely warranted.

So before the next beautiful dashboard, ask the question the demo skips: who, exactly, is going to operate this on Monday morning, and is that a job you have anyone to do?