Cybersecurity Market Gap: Buying to a vision, or buying to buy…

More and more I’m witnessing conversations with customers that are asking: “OK – what did I get?” They are spending millions on “solutions”, but cannot quantify any sense of “feeling more secure”. For me, this precipitates some questions:

  • Does the outcome of the purchase or product match expectations? Your boss’s expectations?
  • What do you think went wrong? What went right?
  • How can you recover a fumble in the most efficient, expedient way possible?
  • How do you prove and show value? Did the “solution” solve a problem?

A Sobering Story

I wanted to share a story that explains the kind of problems we want to help our customers solve. I met with executives for a large firm last year that shared a pretty shocking situation with me (in confidence, so no names or hints):

  1. We decided to build a SOC and spent $15m (on a very sexy facility with screens, teaming rooms, etc.)
  2. The guy who led the build is no longer with the company
  3. We are unable to demonstrate any real value to the board because we are still unsure what to even put in the SIEM
  4. The 5 interns out on the floor today are smart, but we simply cannot produce results

How did they get there?

When we start the “SOC build” discussion, we ask a few key questions (and this is a tiny subset that should demonstrate obvious value):

  1. What is your vision for what your SOC will do?
    1. This helps set the stage for services, that helps define the supporting technology to go into the SOC
    2. Also, this is where you may start making decisions about what you will build, what you will buy, and where you might buy today, build tomorrow as an interim solution
    3. One size does not fit all, but understanding what a SOC can do (https://www.mitre.org/publications/all/ten-strategies-of-a-world-class-cybersecurity-operations-center), then matching a vision to what capabilities are desired is a good first step (e.g. the SOC may or may  not do vulnerability management, for instance. One client we came across did not do Incident Response out of their SOC)
  2. What kind of coverage do you want?
    1. There should be a resourcing plan based on 5×9, 24×7, or some other desired scenario commensurate with the investment appetite (I have witnessed a complete miss on exploring the requirements for this, and see a failed expectation that 5 interns could deliver anything of value)
    2. This takes some up-front thought, especially since you are not going to start where you want to wind up; it’s a journey
  3. How will success be measured?
    1. Defining desired capabilities gives us some sense of when we are getting close
    2. Effective metrics give us a success story to share at all levels (operations, management, executives) http://seanmason.com/2014/07/14/incident-response-metrics/

Conclusion

When you read “Programmatic Security or Transformation” on this site, the above approach is what we mean. “Measurable” is another key concept. You cannot manage or convey any sense of value on something you cannot measure.

If any of this hits close to home, please contact us as soon as you can, and let’s start a discussion about how we can solve these problems together.

Carric Dooley

carric@indelible.global

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.