BuboWerksNon-Security

What is a Small, Medium or Large Organization, or Enterprise?

Many of BuboWerks service offerings are priced based off the size and complexity of an organization. BuboWerks was started in large part to make the same information security services used by large organizations available to the 99% of organizations that don’t have more revenue than a small country’s GDP. This raises the question of what makes an organization small, medium, or large, and what qualifies as an enterprise? We will start with our definition, then discuss how we got there.

To determine Small, Medium, or Large, we use three measures:

  • FTE is “Full Time Equivalent”, which is the number of employees, adding together the fractional time that part-time employees contribute.
  • Revenue is the average of the past three years or time since inception (whichever is shorter).
  • CSE is “Computer System Equivalent”, which is similar to FTE in that it is the number of computer systems (operating system images — so running four VMs counts as four CSEs), once again adding together the fractional time that dynamic systems like cloud compute may add in; for example, if you have four VMs running on a host, two desktops, and ran 12 IaaS images for 1/4 time each, you would have 10 CSE (don’t forget to count the VM host). This does not account for PaaS or SaaS usage, but provides a decent approximation of the complexity of an organization’s IT resources.
SizeFTEs (count)Revenue (US$)CSEs (count)
Small OrganizationLess than 25Less than $10MLess than 25
Medium Organization25 to 500$10M to $100M25 to 500
Large OrganizationMore than 500More than $100MMore than 500

BuboWerks uses a high-watermark for the three measures, so if an organization has 10 FTEs, $25M revenue, and 10 CSEs, we consider it a medium-sized business.

A Global Enterprise, in our definition, is simply a Large Organization with offices in multiple economic areas, so — for example — the EU would be considered one economic area, whereas Hong Kong and mainland China would be considered separate economic areas. Of course, small and medium organizations may also operate in multiple economic areas; in our experience they tend to introduce less complexity when they do so.

One might ask how we came to these definitions. Unsurprisingly, there is no consensus on what constitutes a small or medium business. In fact, in the US there is no legal differentiation between small and medium. In the US, “small businesses” are defined by the Small Business Administration (SBA), which uses either a measure of revenue or headcount depending on the industry. The revenue figures range from $750,000 for businesses like farms to $38.5M for businesses like oil and gas companies, with an average of $18.1M. For businesses where the SBA uses a headcount, it ranges from 100 people for a slew of different wholesalers to 1,500 for companies like mining and manufacturing, with an average of 775. The EU, by contrast, does differentiate small and medium businesses (“enterprises” in their nomenclature) and defines them by recommendation; while those recommendations are under review, as of the time of this writing they consider a small business to be less than 50 people and €10 in revenue, while medium businesses are less than 250 people and €50 revenue (there is also an alternate definition based on balance sheet that we will ignore for simplicity).

Both the SBA and EU definitions influences where we drew our lines, with a preference for providing a wider total band for small and medium sized organizations as — even when on the larger size — we believe they are largely under-served by information security service providers. We also added in our CSE measure, designed to account for some of the higher-tech firms we serve that may have a small number of employees and revenue, but have much more complex IT environments.

We publish our standards in the interest of transparency, because we believe that transparency improves trust, and when shopping for information security services, trust is critical. If you have any questions or concerns about our organization sizing guidelines, please contact us!

Leave a Reply

Your email address will not be published. Required fields are marked *