Organizations are routinely faced with tough decisions around cybersecurity processes and technology. One of the biggest hurdles is explaining what is needed (and not needed) to business stakeholders who do not have a technological frame of reference to view things from. In those cases, relating cybersecurity to more universally understood practices and opportunities can be a true boon for generating buy-in and getting things done. To that end, the purchase, maintenance and need for different cybersecurity products can be compared to how the process of evaluating, acquiring and maintaining a car is performed in the real world.
Build, buy, rent?
The first question when addressing a cybersecurity concern is how a particular control or process will be acquired. Is this something that the organization should do internally, something a new product will cover or something that could be outsourced to a services organization? When compared to the process of considering a new car purchase, the parallels are direct and easily drawn.
Option 1: Build
First, should you build your own car? The answer to that isn’t just about one person, but rather the capabilities available to that person today. You could build a car from parts or from a kit — but only if you or those you can leverage to help have the necessary knowledge, training, and experience to do it effectively. Otherwise, while you may succeed in putting the car together, it most certainly will not be efficient or effective to do so — and it will end up costing significantly more in the end.
In the exact same way, attempting to create new security protocols and controls from scratch is possible in many areas, but may not be the best idea. While combinations of Group Policies, device management, and other tools will help, they must be both implemented and maintained by professionals who specialize in those areas. If those personnel are already within the organization and/or can be brought on board within budget, then this strategy could work. If not, then it is likely that this strategy will either not work at all, will exhibit high failure rates over time, or both.
Option 2: Buy
What about buying a car? This is the most common way to obtain a vehicle, but not a decision you would make “off the cuff.” Before purchasing a new car, several factors are usually reviewed and applied to potential choices to find the correct car for your needs. Test drives may be involved to make sure the car chosen meets or exceeds those needs, and comparison shopping is extremely common as well.
When looking at a car purchase, you also think about how the car will be used — is it something to get to work every day, or something you’re planning on using for long-haul trips and vacations, or both? Is the electric charging infrastructure built out in the areas you will drive? If not, then a fully electric car may not be a good fit right now — but a hybrid could work. What about regulations? Are there restrictions in your state/city that would make one type of car more cost effective than others? These, and many other questions need to be asked and answered before the choice of car can be made effectively and efficiently.
For cybersecurity, the questions are similar. How will the tool be used? Is it something that will defend a physical infrastructure, remote workers, cloud systems, etc.? Will your users be able to take advantage of the system without impairing their ability to do their jobs? Are there regulations that must be met or exceeded by the toolset to keep the organization in compliance and avoid fines? Will you be able to perform a Proof-of-Concept and/or Pilot to ensure that the tools meet or exceed these requirements? The answers to these questions come together to produce a set of operational parameters that will allow the organization to find the right product for their specific use cases.
Option 3: Lease
How about leasing — or, in the technology world, outsourcing? There are benefits and drawbacks to leasing a car instead of buying it. On the plus side, lease contracts can come with routine maintenance and service built in. A fixed lease also allows for budgeting the total cost out over time and ensures that the opportunity to upgrade to a new model or even a different car at regular intervals remains on the table. There are downsides, too. While not impossible, it's very difficult to break a lease if you want to change cars in the middle of the contract. You may also still be responsible for some of the costs associated with the car, like fuel, cleaning and overage costs if you drive more than the mileage allotted in the lease.
In the cybersecurity world, outsourcing has many of the same benefits and drawbacks. A Managed Security Services Provider (MSSP) can be responsible for the implementation, tuning, and maintenance of security controls and processes for the organization, freeing up IT staff and amortizing the cost of controls over the length of the contract. However, MSSPs also have penalties for terminating a contract early and may not cover all the tools and processes the organization needs, leading to additional budget pressure.
Drawing a further parallel to cybersecurity, validation platforms are often used to aid in the risk and exposure management decision-making processes. They provide insights to determine the baselines of an organization and for rationalizing what they have and what they need. From there, data-informed decisions can be used for determining what to build, what to buy, what to outsource, and what is no longer needed.
Which car is right for you?
Regardless of how you’re planning to acquire the car itself, it is important to determine which make and model is the best fit for you. While any vehicle can get you back and forth to work, using a Winnebago for that purpose is unlikely to be a satisfying experience. The cost of adequate parking, fuel, and other add-ons that come along with that RV far outweigh the benefits of such a vehicle for commuting. Conversely, attempting to travel across the country in a two-door sedan is also not the best idea. What about luxury features? While they aren’t required, there are many cases where the extra comfort and amenities in luxury cars would benefit a commuter — if they’re on budget, of course.
For cybersecurity, this type of discussion comes up when looking at which of several competing products that can effectively do a specific security job is the right one for the business. Buying a massive platform when only a select few features are needed will result in ballooning budgets that aren’t contributing to overall security. Underbuying is also a danger, however: missing critically needed features creates security gaps. “Luxury” features like white-glove customer service can be very useful if fiscally acceptable, but not necessarily required if the organization already has the staff to properly and effectively manage and maintain the toolset in-house.
Executive-Level Reporting is often used to define what is required in terms of features and functions to get the job of defending the organization done. If existing tools are already covering many areas of defense, then the organization may not need an extensive platform to fill in the few remaining gaps. Conversely, if the current tools are non-existent or not effective, then spending additional budget on a more feature-rich defensive platform would save money in the long run. This can be done through contracting and licensing negotiations on the larger purchase up-front and eliminating subscriptions/licensing on ineffective and/or redundant toolsets.
Summing it up — ask the same questions before you decide
Whether your needs demand a luxury coupe or an economy model, asking these questions before buying a car is something most people would consider standard practice. Over-buying or under-leasing will lead to more problems than those solved by the vehicle itself, and it only makes sense to think the process through. With cybersecurity purchases/services, the exact same set of framework questions can prevent problems down the line with organizational cybersecurity as well. With a common framework of questions and concerns, both technology and business stakeholders can be on the same page throughout the buying process, and the result is more effective security for both groups — and the organization as a whole.