A month ago I wrote the blog ‘Beware of the ‘Pet Rock’ Cybersecurity Vendors‘, in which I offered to give a day of my time away for free. I stated:
“Any organisation within a 1 hour train ride from London can have 1 day of my time for ‘free’ as long as the following requirements are fulfilled:“
And while those ‘requirements’ were as basic as there were necessary…:
- I get 30 minutes of the CEO’s time, one-on-one, prior to all subsequent meetings – no alternates, no exceptions;
- If you have a governance function, I get a 30 minute meeting with them, if you don’t, 30 minutes with your senior leadership (or equivalent);
- I get one-on-one meetings with the following people (partial):
- Head of IT;
- [full list here]
- I receive a brief from the relevant teams/personnel on the current state of your:
- Governance / Change Control;
- [full list here]
- You pay all travel costs and buy me lunch.
…not one organisation took me up on my offer.
With the exception of a train fare and a lunch they had very little to lose and quite a bit to gain, namely:
- A high-level report on your Top 5 security risks, and options (not recommendations!) to mitigate them;
- A first impressions summary of your security control capability gaps;
- A first impressions summary of your cybersecurity skills-gaps;
- A prioritised list of your suggested next steps in the development of an appropriate security program;
- A rating, based on my experience, of the maturity of your existing security program i.e. are you above or below the bad-guy’s radar.
So why did no one reach out?
If I’m completely honest with myself, by far the biggest reason is probably the fact that – with the exception of a few subscribers – most of the people who come across my blogs have absolutely no idea who I am. And unless they actually like the blog, they will move on without a backward glance. I mean, it’s not as though I’m some security mega-star fighting his way through clamouring cyberrazzi when I leave the house, so who the Hell am I to think this offer is even worth anything?
However, I would like to think that both my experience and my 350+ blogs are a positive reflection of my capability and suitability to provide significant and above all appropriate value. My demeanour and other obvious character flaws aside.
Another major reason is a perfectly justified cynicism of security vendors. I dare say quite a few readers assumed that this was just a gimmick and a loss-lead’ in the hopes of driving more business. While I admitted up front that this was indeed a part of it, I have no doubt that it put many off. We security vendors are increasingly seen in the same light as used car salespeople from a reputation perspective, and this can only hurt all sides.
I am equally cynical of this ‘in-app purchases’ approach to lead generation, so I really can’t blame them.
But assuming my skill-set, personality, motivations, aqueduct, wine, and public health aren’t in question, what’s holding them back? In order of likelihood I believe these to be the Top 5:
- There is no way I’m getting in front of the CEO – In the 20 years I’ve been doing this stuff, I’ve met only a dozen or so CEOs. Despite the enormous benefit of getting the CEO’s buy-in/support, readers knew they could not get me in front of him/her, so why bother trying. And it’s here, in case you weren’t aware, where 99.9% of security initiatives go to die;
- No one other than the CSO/CISO (if they exist) or possibly the CTO gives a rat’s arse – Every senior role has a significant part to play in security, most demonstrably when it’s in the guise of a Governance function. If that function doesn’t even exist, getting me in front of the General Counsel, Head of HR, Sales etc individually and all in one day was likely impossible. So again, why bother trying;
- There is no concept of ‘ownership’ in place – Every asset within an organisation needs an owner, one who has not only the responsibility but the accountability for its security and continued value recognition. Without this in place few senior managers would want to even hear about negative consequences for which they should, by all rights, be raked over the coals;
- Apathy on behalf of my [relevant] readers – not every reader of my blog is in a position to get an onsite by a security consultant approved. But for those that are, the effort might be significant, and given the other points above, why make the effort? They may even have cared once, but experience has beaten them down; and
- The reader has met me – and knows that I’m a fat greedy git who’ll demand lobster.
The fact is that most organisations are simply not geared up to put this offer into a context that makes sense to the business, even when very little capital cost is involved. The reasons are myriad and infinitely varied, and unless they have a reasonable security program in place already, what I’m offering does not make sense. The chances are they don’t even know they need the type of help I’m offering to provide.
Until organisations recognise that 99% of security is operational and not just part of someone’s job description, the implementation of an appropriate security program will escape them. It just takes the right first step, and that’s really what I’m offering here.
I can’t DO everything you may need, but I CAN tell what it is you need most.
[If you liked this article, please share! Want more like it, subscribe!]
* I did receive a very nice email from someone in Portugal mind you! 🙂