While this is most likely true in every industry, it is VERY true in cybersecurity.
Most organisations above the ‘corner store’ size have some form of ‘in-house’ IT support, even if it’s just the CEO’s brother-in-law, but only the larger organisation will have dedicated in-house security expertise. It’s simply too expensive.
However, most organisations need security expertise – usually when it’s too late unfortunately – so it’s crucial that they are able to define their specific needs in such a way as to attract the right suppliers of those services. Unfortunately, and all too often, the wrong questions lead to the wrong suppliers who provide the wrong services. If they gave you what you asked for, whose fault is it?
Instead, it makes sense to outsource the choice of your security services to someone best placed to judge; a security expert unhindered by organisational or employment commitments. i.e. they are not employed by a security company and are 100% ‘vendor neutral’ in terms of service or product ‘recommendations’.
Of course, you still have the problem of where to find this person, and ensure that they are the right person to make these choices on your behalf, and the responsibility for this due diligence must begin with the person most accountable. Whether this is the CEO, COO, or IT Manager or whatever, the individual who understands the business goals of the organisation needs to be the one asking the questions.
Many large organisations make the curious choice of allowing their purchasing departments to run the vendor selection process, often without specialist security input beyond the most basic of initial requirement definitions. This leads to an RFP that not only asks all the wrong questions, but also to reviews of the responses by people who don’t understand the answers. The choice is then often based on price and not capability turning the whole thing in a debacle.
You don’t allow your dentist to choose which law firm you use to represent you, why would you have anyone other than a security expert define your security solutions?
Even your in-house security team is under certain limitations, and cannot be truly objective with regard their choices. Whether it be pressure from above, fear of making a mistake, or vendor preference / bias, the choices are rarely the optimal result for the organisation. Nothing nefarious, just human nature.
The development of an overarching security program has many moving parts, and every step must be with a view to the end goals, the current needs (risk priorities), and the bit that’s often neglected; how each piece integrates with the next. The purchase of security services, and especial products/technology must be based on not only cost, but of how it will be installed, maintained, managed, monitored, and measured.
This can only be performed by a Governance function that has access to, and guidance from, a true security expert.
I can’t say that I’ve come across a service like this, perhaps I’ll start my own…
[If you liked this article, please share! Want more like it, subscribe!]