Narrative Group Cybersecurity Services
If you’re running a mid-sized company, you already live in the real world.
You’re trying to grow. You’re trying to protect margin. You’re trying to keep customers happy. And you’re doing it without the deep bench that a massive enterprise has.
Cybersecurity sits right in the middle of all of that.
I’m Bruce Fairley, Founder and CEO of The Narrative Group. I’ve spent more than 20 years in enterprise roles, including CTO roles at Loblaw and Shoppers Drug Mart. Now I work with mid-market leadership teams to bring that same level of discipline and clarity – without the big-company bureaucracy.
Here’s the core truth I want you to take in: security work fails when it’s treated like a technology shopping trip.
Security works when it’s treated like operations. It works when it’s tied to the way you make money. It works when it’s designed for how your people actually work.
And yes, it needs to be simple enough that you can run it.
Why this matters in 2026 (and why you can’t ignore it)
A breach is not an “IT problem.” It’s a business interruption with a legal tail.
IBM estimates the $4.45 million global average cost of a data breach. Most mid-sized companies don’t have the cash, time, or brand tolerance for that kind of hit.
And if you’re thinking, “We’re not big enough to be a target,” you’re aiming at the wrong idea. Verizon’s DBIR points out that SMBs are targeted four times more often than large enterprises.
Attackers aren’t looking for the biggest logo. They’re looking for the easiest path to money.
That’s why my approach is boring on purpose. It’s disciplined. It’s repeatable. It’s “mainstream, not leading edge, not bleeding edge.”
Because when the rubber hits the road, boring foundations keep you alive.
Start with one question: “How do you actually make money?”
Before I talk about tools, I ask a business question.
“How do you actually make money?”
I’m not being philosophical. I’m being practical. Your security plan has to protect the value chain that produces revenue, and it has to keep the supporting functions running so you can deliver.
If your technical architecture is in conflict with the value chain, you’ll get workarounds. You’ll get shadow IT. You’ll get people bypassing controls because they’re trying to do their job.
That’s how incidents start.
So the first step in my checklist is a simple executive exercise. We identify your “crown jewels,” and we name owners.
What are the systems that generate revenue? What data would hurt the most if it leaked? What systems must be available on a Monday morning for you to operate? Which vendors touch your data or your network?
Write it down. Keep it current. Make it someone’s job.
Then we map the flows. I’m a big believer in drawing it out because a picture tells a thousand words. You want to see how information moves, where it gets copied, where it gets emailed, and where it gets stuck.
This is the same mindset I use when a COO says, “My e-commerce platform doesn’t talk to inventory.” You don’t start with a tool. You start with patterns. Who’s talking to who? How often? Where does it break?
Security is the same game. Different stakes.
Ownership and governance: who’s holding the bag?
Mid-sized companies get hurt here.
They want security, but nobody owns it. Or it gets thrown onto a busy IT manager who’s already running around like a firefighter. Then something happens, and leadership asks, “How did we not know?”
You fix that by naming ownership and building a simple rhythm.
Start with an executive sponsor who has authority. Then name a single accountable leader for day-to-day security. That can be internal. It can be fractional. It can be a partner. I don’t care what the org chart looks like as long as accountability is real.
This matters more than most people admit. Only about 5% of companies have a cybersecurity expert on their board. So governance needs structure, not wishful thinking.
Security is moving up the org chart for a reason. By 2025, 82% of CISOs reported directly to the CEO. Mid-market companies often don’t have a CISO, so you need an equivalent decision path.
You also need a risk appetite. What are you willing to tolerate? What are you not willing to tolerate? If you can’t answer that, you’ll end up making emotional decisions during an incident.
And you need reporting that a CFO can live with. Simple. Consistent. Tied to risk and downtime.
What gets measured gets managed.
The 2026 cybersecurity checklist (the way I actually run it)
I’m going to walk you through the checklist in the same order I’d use if I stepped into your business.
I start with stability and visibility. Then I move into control and recovery. Then I tighten vendor risk and governance.
That order isn’t academic. It’s how you avoid breaking operations while you improve security.
1) Get current and get visible (assets, lifecycle, and “vanilla” thinking)
If you don’t know what devices you have, what software you run, and what systems are critical, you’re guessing.
You need an asset inventory that covers endpoints, servers, cloud services, SaaS apps, and network gear. You also need system owners. Somebody needs to be accountable for each critical platform. Otherwise, patching and access reviews turn into group confusion.
You also need lifecycle management. Old gear creates fragility. Fragility creates downtime. Downtime creates workarounds. Workarounds create security gaps.
I’ve lived this on the infrastructure side. We had one customer with six offices where people couldn’t connect to the network when they moved between locations. Meeting rooms barely worked. And every time they asked IT for help, “security” was used as the excuse to say no.
That’s a losing posture.
Our philosophy is simple: IT is intended to be an enabler, not a blocker. So we assessed the environment, stabilized it office by office, replaced core switches and network gear, replaced outdated servers, and put devices on a lifecycle plan. We also fixed meeting rooms and communicated how to use them so they actually worked.
Three years later, the managing director told me, “You’ve created a problem for me.” Everybody wanted every office to look like the new office because it worked that well.
That’s operational enablement. It’s also security, because “current” environments patch and evolve. They don’t break every time you touch them.
And keep your platforms as “vanilla software” as you can. Heavy customization feels powerful until you need to upgrade, secure, or integrate. Then you pay for it twice.
2) Identity and access (your front door is wide open without it)
In 2026, identity is the control plane.
If you want a fast risk reduction, focus here. You want strong multi-factor authentication on email, remote access, and any system that touches money or sensitive data. You also want separate admin accounts for admin work. Day-to-day accounts should not have elevated privilege.
Then you need a joiner-mover-leaver process that actually runs. New hires need consistent access provisioning. Role changes need updates. Terminations need immediate deactivation. If that feels harsh, remember this is how most incidents turn into disasters: old access nobody remembers.
This is also where role definition matters. When people don’t know who approves access, the path of least resistance wins. Access spreads. Risk spreads with it.
3) Patch and vulnerability management (because attackers love your backlog)
If you want a statistic that should bother you as an executive, this one is it.
Verizon reports that 82% of breaches involved exploiting a known vulnerability as the initial access vector.
Known vulnerability. That means the fix existed.
So patching can’t be an “IT task.” It has to be a business process with a cadence. Monthly patching for operating systems and core apps is a baseline. You also need an emergency path for critical issues.
You should also scan for vulnerabilities. Not because scanning is sexy. Because it’s how you see exposure before someone else does. Then you track remediation and you time-box exceptions. Exceptions without expiry dates become a permanent risk.
If you’re a CFO, here’s the tie-in: patching is cheaper than downtime. It’s also cheaper than incident response. And it reduces the odds that you get hit through a door you left unlocked
4) Endpoint security (protect the devices your people use to make money)
Most compromises touch endpoints early. Laptops. Desktops. Mobile devices. That’s where credentials get stolen and malware lands.
You want modern endpoint protection and detection. You want disk encryption on laptops. You want device management so you can enforce standards. You want to remove local admin rights by default, because “everyone is admin” becomes “everyone is a risk surface.”
Keep this mindset: your company runs on long-running workflows. Your people execute them. Technology is supposed to amplify their skills, their creativity, their superpower. Security controls should support that, not trip them.
5) Email, collaboration, and the human factor (because people are involved)
Security is not purely technical. People are part of the system.
Verizon’s DBIR reports 68% of breaches involved a non-malicious human element. That includes employee error and social engineering. So you build controls that reduce the chance of a bad click turning into a bad week.
Email security and phishing controls matter. Basic domain protections matter. Simple sharing rules for Teams, SharePoint, Google Drive, and whatever else you use matter. Most mid-sized companies leak data through convenience, not evil intent.
This is also where false savings show up.
I’ve seen organizations avoid Microsoft license fees by using an old tool called Mail Manager to save emails to SharePoint. It “saved money” on paper. Later, when the organization needed to modernize and deal with upgrades like Windows 11, that little workaround became a dependency that complicated everything.
Cutting software costs often shifts the expense into manual labor and messy tooling. Then innovation slows down. Culture gets stuck. Complexity grows.
Follow the money. It usually shows up somewhere else.
6) Network and remote access (reduce threat vector)
Your network doesn’t need to be fancy. It needs to be intentional.
Separate guest Wi – Fi from corporate Wi – Fi. Tighten remote access. Review firewall rules so you understand why things are open. Segment sensitive areas like finance or payment flows so one compromise doesn’t become a company-wide compromise.
A lot of mid-market networks grew over time. New offices. New vendors. New remote work patterns. The original design didn’t account for today’s reality.
So draw the map. Trace the data. Then simplify.
7) Backups and recovery (assume ransomware is coming)
Hope is not a plan.
Backups are your last line of defence, and attackers know it. They go after backups early.
You want multiple backup copies, stored in different places, with at least one copy that’s offline or immutable. You also want to protect backup credentials like they’re gold, because they are.
Then you test restores.
If you’ve never tested a restore, you don’t know if you can recover. You only know that backups are being created.
I learned a long time ago that lab confidence is not real confidence. During a large loyalty program rollout, we got delayed by months because performance testing at scale exposed problems that didn’t show up with a small test group. Ten users in a lab is easy. Ten million users hitting the same endpoint on a Saturday morning is a different game.
Recovery works the same way. You find out if it’s real when you test it in conditions that look like reality.
8) Monitoring and incident response (make decisions with facts, not panic)
Most leaders are required to make decisions without all the information they want. That’s true in normal operations. During an incident, it gets worse.
So you build a simple incident response plan before you need it. Who decides what? Who talks to employees? Who talks to customers? Who talks to legal? Who talks to insurers? Who talks to the board?
You also need visibility. Centralized logs for identity, email, endpoints, and firewalls give you the ability to see patterns. Alerting needs ownership. Someone needs to receive it, understand it, and act on it.
Then you run tabletop exercises. Not to scare people. To make the first hard conversation happen in a calm room, not during a live incident.
9) Vendor and third-party risk (your posture includes your partners)
If your company runs on vendors, then vendor risk is your risk.
Verizon reports 33% of breaches involved a third party. That’s not a corner case.
So you inventory vendors who touch sensitive data or have network access. You limit vendor access. You time-box it where you can. You monitor it. You remove it when the relationship ends.
You also set minimum expectations in contracts. Breach notification timelines matter. Data handling matters. Access control expectations matter.
And be careful with the “lowest cost provider” mindset. One hidden cost is loss of scalability. You end up doing expensive rework later, right when the business needs momentum.
10) Data protection and compliance (treat it like a managed program)
Privacy and compliance show up fast once you handle payment data, employee data, health information, or cross-border customer data.
PCI, GDPR, and PIPEDA are real requirements. They also collide with operations if you treat them as paperwork.
I’m a fan of prioritization and phased execution. We’re advising a payments provider involved in traveller registration where PCI, GDPR, and PIPEDA issues exist. The payment platform isn’t always the first thing you tackle, even when it’s imperfect. Sometimes you address the bigger business risk first, then you come back and close the compliance gap.
That’s how you make progress without breaking the business.
People and change: security has to work on the front line
If your security program makes your front line miserable, your front line will route around it.
I’ve seen this dynamic for years. Store managers, operations leaders, finance teams – they’re smart people. They’re just not interested in being slowed down by technology that doesn’t fit reality.
So you listen. “Show me the day in the life.” Where are the frustrations? Where is the technology letting them down?
Then you fix those points of friction and you follow through. Talk is cheap. Actions speak volumes.
Security controls behave in a way that if they create constant interventions, you end up adding labor back in to manage the friction. Or you get workarounds. Neither outcome helps you.
AI in cybersecurity: useful in the right places, dangerous as a fantasy
Anything related to AI gets overhyped quickly. I’m optimistic about AI in specific areas. I’m also blunt about the risks.
AI is immature and evolving rapidly. It doesn’t know what it doesn’t know. It can be a very good liar. So I don’t support unsupervised AI making security decisions on its own.
I do like AI is for Learning from human feedback, workflow support, data standardization, and triage. We’re doing projects where AI learns which emails your team believes are phishing attempts and then eliminates them moving forward.
Once AI matures, there’s also a financial argument for AI automation. IBM found that organizations using security AI and automation extensively saved about $1.76 million per breach. IBM also reported a $1.68 million average savings associated with adopting DevSecOps.
A 90-day execution plan you can actually run
If you’re looking for a practical timeline, here’s how I’d push it.
In the first couple of weeks, focus on visibility and ownership. Identify crown jewels. Assign system owners. Build an asset inventory that’s good enough to act on. Decide who owns security decisions.
From there, spend the next month hardening the basics that drive most outcomes. Roll out MFA for email and remote access. Standardize endpoint protection. Establish patch cadence. Tighten admin privileges. If you do nothing else, that work reduces risk fast.
Then prove recovery. Implement immutable or offline backups for critical systems. Test restores. Write a simple incident response plan and run a tabletop exercise with your leadership team. You want that muscle memory before you need it.
Finally, clean up vendors and access. Inventory third parties. Remove stale accounts. Tighten vendor access paths. Add minimum expectations for new vendors so you stop importing risk by accident.
This is how you build momentum without chaos.
The board-ready scorecard (simple numbers that drive the right behavior)
Executives don’t need 40 pages of technical reporting. They need signal.
So I like scorecards that track coverage, stability, speed, and readiness.
Coverage tells you whether MFA and endpoint controls are actually deployed broadly. Stability tells you whether your critical systems are reliable and whether backups are succeeding. Speed tells you how fast you disable access after termination and how quickly you patch critical vulnerabilities. Readiness tells you whether incident response is real, tested, and owned.
Then you tie it back to financial reality. If you’re a CFO, quantify downtime. Translate it into lost productivity. Track the trend. It changes the conversation fast because it connects IT spend to the P&L.
That’s where Narrative Group comes in. We can help with a financial and tech assessment.
Final thought: build security that helps you run the business
Cybersecurity in 2026 is not about chasing shiny tools. It’s about building an operating model that keeps you current, keeps you resilient, and keeps your people productive.
Follow the money. Protect the value chain. Map the data flows. Keep platforms mainstream. Use “vanilla software” where you can so you can evolve without breaking.
And remember the human side. Your front line wants the problems solved. They want technology to stop letting them down. If you respect that and design for it, security becomes an enabler of growth instead of a constant fight.
Frequently Asked Questions
How do I justify increasing the cybersecurity budget to the board?
Stop calling it an IT expense. Call it revenue insurance. With the global average cost of a data breach hitting $4.45 million, security is a matter of solvency. Frame the budget around operational resilience: patching is infinitely cheaper than downtime, and investing in ‘boring’ foundations prevents the shadow IT that introduces massive risk.
Do mid-sized companies need a full-time CISO?
Not necessarily, but you need ‘C-level’ accountability. While 82% of CISOs now report to the CEO, mid-market firms often succeed with fractional leadership. The real risk is the governance gap: only 5% of boards have cyber expertise. You must designate a leader with the authority to enforce standards and say ‘no’ to shortcuts.
What is the single biggest security vulnerability we face?
It is rarely a zero-day exploit. It is usually a door you left unlocked. Verizon reports that 82% of breaches involved exploiting known vulnerabilities – fixes that already existed. If you ignore basic hygiene like patching and identity management, you are essentially inviting attackers to disrupt your value chain.
Can AI replace our need for human security staff?
No. AI is too immature for unsupervised decisions – it often ‘hallucinates’ facts. However, it is excellent for triage. Organizations using security AI extensively saved an average of $1.76 million per breach. Use automation to handle the repetitive data work so your human team can focus on complex strategy.
How do we manage vendor risk without slowing down operations?
You must treat vendors as part of your own attack surface. With 33% of breaches involving third parties, you cannot abdicate responsibility. Inventory every partner touching your data, time-box their network access, and enforce minimum security standards in contracts. The ‘lowest cost provider’ often introduces hidden costs through weak security.