A holistic approach to information security needs to address a corporate strategy for buying or building solutions. Such a strategy will have an impact on how a company looks at staffing and technology investments.
There are two basic ways to look at major investments of information technology and information security: you can buy or you can build.
In this model, an organization selects industry standard tools and technology, and aims to hire above-average to guru-type employees who will integrate the technology into the corporate environment. The staff is reasonably interchangeable in this model, although technology costs are on the higher end for implementation. Ongoing maintenance costs are average.
In this model, an organization hires the best and brightest, and uses software and/or hardware components to build custom solutions for the organization. This affords the greatest flexibility of tools, but requires higher staffing costs, and support and maintenance are tied to the staff for the full lifecycle of the solution. Staffing changes are a bit more traumatic to the organization, and knowledge transfer is more important than in the BUY model.
Both approaches have merit, but they impact the company’s cost structure in different ways. Option A puts more emphasis on purchasing the right tools. Option B puts more emphasis on hiring strong technologists who will build the right tools and frameworks for the organization. Either way, you always need to have good, dedicated people, but the specific skill sets required in our staff will differ for the BUY model vs. the BUILD model.
There is no *best* option, especially when you include factors like availability of skills, time to hire, competition from other companies, etc. Not only is it valid to use either option, but it is valid to use a combination of both options. A major constraint is the existing staff, and this often heavily influences the direction that an organization ultimately takes. Once the company has settled upon the model that will define the general direction of their investment strategy, they need to do two other things:
1. Identify the security risks facing the organization and prioritize their remediation.
2. Start simple with every investment, then evaluate for possible expansion after it has been implemented.
It is almost impossible to resolve issues that are not known to exist, and it is extremely difficult to set priorities and make wise choices for the investment of time or money, so the identification of risks must be performed. It must also be updated regularly. A stale risk profile is in many ways much worse than a non-existent risk profile, as it can lead to a false sense of security.
Once risks have been identified and prioritized, there should be every attempt made to implement a solution that balances simplicity and thoroughness. It doesn’t matter whether the solution is being built or purchased, the goal is to get something useful in place that will address the key risks identified, but which is expected to be potentially replaced or expanded within 12-15 months.
Ideally, the initial deployment should take no more than 4-6 weeks, and should cover a minimum of 80% of the initially understood needs of the organization for the risk it is intended to address. Getting something in place quickly and cheaply will be of immediate benefit to the organization, and it will help expose which features are really needed by the organization vs. those which were only nice-to-haves.
For organizations employing the BUY model, it makes it much easier for them to evaluate the merits of the vendor feature lists that will be vying for the corporate budget.
For organizations employing the BUILD model, they can quickly get to work on another “Round One” project, and start putting the necessary team, budget and executive support in place for any “Round Two” projects which have been identified.
For SMBs that have a limited hierarchy and are not used to any sort of formality in solution procurement, embracing this strategy can be a very effective way to add some needed process maturity without becoming overly bureaucratic. The value of a size appropriate cost/benefit analysis, and the introduction of some process discipline into the planning, procurement and deployment methodology cannot be overstated for SMBs.
Remember: Enhance the security posture of your organization by assessing the needs and make-up of your business in order to select and implement the appropriate investment strategy. Then, you can begin to mitigate your technology-focused business risks quickly and cost-effectively.
You can think of it as Agile Security, if you really want a buzzword to work with, but it is just as effective even without a cute name. Don’t delay – get started today.