Avoid costly firefighting: how to be smarter about cybersecurity procurement

Buying more solutions is not an IT security strategy. It could even cause more integration headaches. But with a more planned approach, you can get more from your budget and protect your resources.

Share article

cybersecurity purchasing strategy

Impulse buying IT solutions feels like you’ve achieved something today, but have you just given yourself an integration headache for tomorrow? With a more planned approach, you can get more from your budget and protect your resources more effectively. Here are two questions to ask yourself:

Is your IT team wilting under a pile of new cyber-tools that need to be installed, configured and maintained?

With a more planned approach, you will get more from your budget and protect your resources.

How do you decide which security solutions to buy for your business?

For most organizations, their approach is to try to understand the vendor landscape and then understand the breadth and complexity of their IT security problems.

To an extent, this strategy can work. If you buy the best products you can find according to the budget you have, then you’re working towards having the optimal security posture for your organization.

But the vendor landscape today is so concentrated that you can spend all of your time just trying to understand all of the products you could use, then choosing between them. Keeping an eye on Sounil Yu’s Cyber Defense Matrix helps you deal with this.

As you read this, I expect your risk register is top of mind, right alongside the most recent data breach you’ve just heard about. So it can feel right to get on and do something rather than stop, think and consider alternative courses of action. By taking action, for example, buying a product, you think the problem’s fixed, giving you one less thing to think about.

The problem?  This ‘strategy’ doesn’t work.

But why?

Firstly, it doesn’t support an organizational policy. It’s just what you did before, and so it’s what you continue to do. Easy win.

But buying a product is not, in itself, a strategy.

This approach prevails without proper reflection, and no one can question the decision because it’s never clearly expressed in a way that permits it to be challenged.

Secondly, your company ends up with a mix of disconnected solutions that are installed but not configured, and sometimes their monitoring capabilities and logs, which looked so impressive during the sales presentation, and only considered after a suspected breach. However, with some small changes, the buying approach can pay off, or at least reduce the effort you spend firefighting down to a manageable level, so you have breathing space to focus on new projects.

Here are three ways you can get smarter about buying the right cybersecurity solutions for your business.

1. Have a buying strategy for attending events

Firstly, use the conferences and exhibitions you attend intelligently. InfoSec conferences, especially those dominated by a vendor hall rather than by tracks of presentations, can be beneficial if used in the right direction. It can be tempting to use the occasion to catch up with contacts in the industry, put in an order for a new solution to justify the time and money it took to attend and then go home. But you can be smarter than that.

Don’t be afraid to play off vendors against each other. Shuttle between them comparing advantages, answers and prices, examining any criticisms raised by one vendor with the responses of another.

Ask someone who has left a booth you’ve been at, or are considering visiting, what they thought of a solution and its vendor, and if there are any aspects they found particularly useful or troubling. It’s a good way to think through your current position, with a side benefit to make the most of networking opportunities without the shallow performance of pushing your business card (or scanning your pass at more technologically advanced events.)

2. Try before you buy

Secondly, consider either a bake-off or a trial period or a pilot project – whichever is your organization’s preferred way of working.

A bake-off is similar to the televised cooking competitions; each of the products under consideration is put in direct competition with the others to see which offers you the best solution for the least code. The options you select, of course, depend on the structure of your estate and many other factors about your organization, but in a rush to resolve an issue, you can instead spend a few weeks testing your implementation, and so saving yourself time in the long run.

In particular, either a bake-off or a pilot project shows that the products are under serious consideration, and your vendors should be able to devote resources to making the test period a success and resolve any technical issues before a full rollout.

I recommend sequential pilot projects over bake-offs, only progressing to the next pilot project if the previous one didn’t give you the results you wanted. A pilot project is far less intensive than the effort required for a bake-off and dealing with multiple vendors simultaneously. Also, it’s much easier to have set aims for a pilot project, making it an easy purchasing decision at the end of the trial period, while keeping everyone focussed during the exercise.

3. Take a lesson from the world of gaming

cybersecurity purchasing strategy

Finally, consider “table-topping” or “wargaming” the introduction of the technical solution. This is like running a pilot project, but conceptually. By “wargame,” I mean a business wargame. It’s called a “tabletop” because that’s where you run the game, and that’s specifically where everyone concentrates their attention. You can either buy an appropriate game, hire a consultant to build one, or design one yourself. The process is more straightforward than you think.

To put a simple wargame together, you need some kind of board to represent the situation you’re discussing (for example, a network diagram), some pieces or markers to represent different resources (like some coins to represent the available budget) and a brief set of rules to determine how the game progresses. This prevents decisions being made according to the opinion of the most senior person present.

Unfortunately, the word “game” has all kinds of unhelpful connotations, making the exercise not seem serious enough for the gravity of the decision you’re making, but the game and its rules are there to help you think and to encourage everyone to contribute. Meetings are a poor format for decision-making, with the quality of the decision usually determined by how long the meeting was, who shouted the loudest and how close it was to lunch.

By running a tabletop exercise playing through the implementation of a project, you can get everyone around the table to consider the impact of the new technology in their field. Does a more efficient endpoint threat management solution send too many alerts to the over-worked Security Operations Center? Does the new firewall implementation work with existing configuration maintenance software?  From there, scenario plan a typical day or week and judge the impact on your staff and those departments who you work with on taking on the new solution.

Don’t be afraid to modify the format of the game as it progresses, to use counters or markers on a board to represent the impact of network changes or the demands on staff. A simplistic representation of your proposed solution can quickly reveal unrealistic demands or requirements that never come out in discussions or a spreadsheet-based analysis.

As a side benefit, getting people together to think through a procurement decision and its ramifications in this structured way can have serendipitous benefits, as different silos within your organization form stronger links, improving decision making in the future.

Overall, buying the best solutions you come across can get you through the next quarter, especially if you combine it with the occasional heroic effort by your employees when inevitable problems occur. But that kind of strategy isn’t sustainable, and it isn’t the optimum use of your resources.

Your attackers are becoming smarter, but your budgets aren’t getting bigger, so you’re going to have to out-think your opponents. By planning more strategically before buying, you can make the most of your IT security budget.

The opinions in this article represent those of the author.

Security solutions for enterprise

True Cybersecurity – next-generation solutions to predict, prevent, detect and respond to cyberattacks.

About authors

Nick Drage is a cybersecurity consultant, helping customers make informed decisions about products and services, and their overall cybersecurity strategy. Nick is interested in how individuals and organisations find, test and create winning strategies in any field, from cybersecurity to American football or Tetris.