Organisations need to have an overarching corporate strategy for staffing and product/service acquisition, if they expect to maintain a holistic approach to information security & technology procurement. A key question that needs to be answered is: Build or Buy?
Many organisations – especially smaller organisations – take a one-off approach to acquiring the hardware, software and services that they need throughout the year. After discovering a need, they make a short-term decision about the need in question without necessarily giving any significant thought to how this decision fits within a larger framework.
Even when major investments are being entertained, there may be no consideration given to how this purchase will impact subsequent purchases, or integrate with previous ones. There are, however, some serious implications that can come into play for an organisation based on what type of strategy they pursue – whether deliberately or due to convenience/inertia.
Security & Technology Procurement — OPTION A: The BUY model
In this model, an organisation selects industry standard tools and technology, and aims to hire above-average to guru-type employees who will integrate the technology into the necessary environments, whether corporate or customer-facing. The staff is reasonably interchangeable in this model, although technology costs are on the higher end for implementation. And “staff” can include a mix of full-time employees and contractors. Ongoing maintenance costs are average for this model.
Security & Technology Procurement — OPTION B: The BUILD model
In this model, an organisation hires the best and brightest, and uses software and/or hardware components to build custom solutions for the organisation. This affords the greatest flexibility of tools, but requires higher staffing costs, and support and maintenance are tied to the staff for the full life cycle of the solution. Staffing changes are a bit more traumatic to the organisation, and knowledge transfer is more important than in the BUY model. The option for contractors is still present, of course, but key employees are likely to be full-time staffers. The initial cost for hardware and software acquisition is often lower in this model.
Both approaches have merit, but they impact the company’s cost structure in different ways. Option A puts more emphasis on purchasing the right tools. Option B puts more emphasis on hiring strong technologists who will build the right tools. You always need good, dedicated people, but the skill sets required will be different for the BUY model than the BUILD model.
Either option is valid, so an organisation is not obligated to use only one method to the exclusion of the other, but the staff that is in place will have an impact on which approach is easier to implement. Once an organisation has settled upon the model that will define the general direction of their investment strategy, they need to do two other things:
- Identify the security risks facing the organisation and prioritise
- Start simple with every investment, then evaluate for possible expansion
Identify Risks & Prioritise
It is almost impossible to resolve issues that are not known to exist, and it is extremely difficult to set priorities and make wise choices for the investment of time or money, so the identification of risks must be performed. And the list of risks must be updated regularly. A stale risk profile is in many ways worse than a non-existent risk profile, as it can lead to a false sense of security.
Round One: Simple Solutions
Once risks have been identified and prioritised, there should be every attempt made to implement a Security & Technology Procurement solution that balances simplicity and thoroughness. It doesn’t matter whether the solution is being built or purchased, the goal is to get something useful in place that will address the key risks identified, but which is expected to be potentially replaced in 12-15 months.
Ideally, the initial deployment should take no more than 4-6 weeks, and should cover a minimum of 80% of the initially understood needs of the organisation for the risk it is intended to address. Getting something in place quickly and cheaply will be of immediate benefit to the organisation, and it will help expose which features are really needed by the organisation vs those which were only nice-to-haves.
For organisations employing the BUY model, it makes it much easier for them to evaluate the merits of the vendor feature lists that will be vying for the corporate budget.
For organisations employing the BUILD model, they can quickly get to work on another round one project, and start putting the necessary team, budget and executive support in place for any round two projects.
For SMBs that have a limited hierarchy and are not used to any sort of formality in solution procurement, embracing this strategy can be a very effective way to add some needed process maturity without becoming overly bureaucratic. The value of a size appropriate cost/benefit analysis, and the introduction of some process discipline into the planning, procurement and deployment methodology cannot be overstated for SMBs.
Select an investment strategy to control your costs while obtaining real security benefits in a timely fashion.