Here is a fun exercise if you are bored. Go into any grocery or superstore. If you prefer online shopping, log onto your favorite retailer and find/pick any one category of products. Next, count how many brands there are in that one category. Then, count how many different options or different stock keeping units there are for each brand. In many cases, you would not be able to get an exact count.
Why is this so? Because we have so many options today for almost anything we want.
The options available to us don’t stop at products. Our options extend to the way we procure what we want as well. There are almost as many ways to purchase or obtain what you want as there are things to want. Our endless choices extend to the way we select housing, cars, vacations, rides and even things as personal as relationships. Long gone are the days of having to commit to anything. So why not take this flexibility that allows for a greater fear of commitment and extend that into the way we address cybersecurity?
In any given week, I am contacted by a minimum of 25 new security product vendors. This is too many choices, too many options and too many phone calls/emails. In addition, each of them claims to solve all my problems. Really? I didn’t realize I had fallen asleep and awakened to a perfect world. So, in a world full of imperfections and multiple options and solutions combined with the shortage of people to implement, deploy and run these magic tools, how do we become successful? How do we choose the right mix of what we need against what we are capable of handling both physically and mentally? Because of our “fear of commitment,” we conclude as much: If we design security processes, tools, services, etc. into a pay -as-you-go or pay-as-you-need model, we may be able to find the right mix that is:
· in the budget
· can change as we please
· can give us what we want and not what we don’t
· can let the headaches of commitment be someone else’s problem
What is it that I am really proposing? It’s founded in the ideas of outsourcing – but taken to the next level. Let’s use personal transportation as an example. If I live in a large metropolitan area with decent public transportation, with the addition of services like Uber and Lyft, would I ever purchase a car? The only time I would purchase would be in I had another need for personal transportation (like a delivery job) or if I frequently traveled outside the city to my vacation home. I can get affordable transportation that can change with my needs and can get me exactly where I want to go without extra stops when needed and I don’t have the headache of insurance, car maintenance and regret of my purchase if next year’s model turns out to be so much more awesome.
I don’t have to commit. I can choose what I want when I want it. I may have to commit to a partner or partners based on my needs but if the agreements between you and those partners are done right, those can be easily and mutually exited from as well leasing that ever-existing fear of commitment.
Say you live in a smaller city with limited public transportation and fewer personal car service drivers. In this case, you may want to buy but buy only what meets your basic transportation needs and when you want to spice it up, you order the ride you want at that particular moment in time. In this mix of the model, you get the basic tool you need but when you feel the fear of committing to something less desirable, you can get the dream for a short period time. In addition, when the day comes when you want more and are ready to commit to the car of your dreams, your older basic model is less of a burden or loss of money when moving to an upgraded model.
To break down the idea of the “Uber model of cyber security” even further, we can discuss the options available. For example, if you need something efficient, fast, cheap, etc. you can select a normal economy car. If you have extended needs like additional riders or need luxury, you can select the XL or the Lux. The beauty of the model is that it is point-in-time selection. You do not have to always select one type or the other. It can flex and bend as your needs flex and bend.
Before selecting this model for your cybersecurity program, you will need to determine what your security needs are. I suggest setting or using a foundational framework to work from like NIST. Unless you are required, you do not need to follow such frameworks to the T but they do help provide an outline for where to focus. Once you determine the foundation, work on evaluating where you want your needs, tools and technologies to be in order to address the risks identified, using the framework as a guideline. Then, find a strategic partner who will provide your needs in the form of various services they manage on your behalf rather than an outright purchase of tools.
As time progresses and your program matures, you can later move to more control and ownership if you determine that is best. Just like if you use a car service – and then decide you miss the fun of driving and the power of acceleration under your hands.
To tie all this back to cybersecurity, what I suggest is:
1) Find a strategic partner that you trust, can deliver what you need and can do it without requiring you to buy a single technology license;
2) Build the right agreement that allows for the flexibility in services you need based off of product offerings you trust and prefer but again are not required to own;
3) Implement “services” instead of tools/technologies (yes, you will probably have to deploy at least a couple of agents and maybe a virtual server here and there but again no real long-term commitment);
4) Find your happy level of control and lack of control over these technologies and services;
5) Adjust the model as needed to achieve number 4;
6) Track and monitor how it is going and again adjust as needed which may mean moving to a full purchase of a technology/tool; and
7) Work with your partner to find new and inventive ways to partner on new service delivery models.
For this to be successful, you will have to commit to a few things:
1) Trust in your strategic partner and being able to let go of all the control over the tools/technologies;
2) Keep open and honest lines of communication with your partner with the mutual understanding that both sides come with flaws that you have to work through together;
3) Share a mutual vision with your partner of what services can be delivered, how they should be delivered, to what extent they should be delivered, when they should be delivered and at what cost;
4) Avoid becoming easily distracted by the next “shinny” object that presents itself as the next solution to replace all solutions;
5) Have an internal team that knows how to make partnerships successful; and
6) Have a good exit strategy and plan B that allows flexibility without loss of services.
In a world where we have endless choices combined with a fear of committing to any one choice, there is a way to find the balance. For that to be successful, you have to be willing to let go of the old ways of doing things and embrace the ideas of the future while understanding it is a journey. You just need to decide on what is the best method of transportation for your own cyber journey.