After months of budget negotiations, you finally have management/board approval and a budget has been allocated to you. Now you are thinking of optimizing the costs of cyber tools and projects you want to undertake so that you can maximize the budget.
A lot of Chief Information (Security) Officers (CIOs/CISOs) will start by engaging cybersecurity vendors/suppliers to secure the best deal (cost-wise) or engage a consultant, who by the way does not come cheap. After months of back and forth with vendors and consultants who may have their selfish interests at play, you have been blessed with a shipload of cybersecurity tools and programs to sign up to.
Let me guess, you probably have perimeter defense tools (extra firewalls, network access control & extra configurations), visibility and insight tools (Security Information & Event Management (SIEM)/Managed Security Services Provider (MSSP) tools, vulnerability & risk assessments tools), Risk Management tools that detect fraudulent activities, and a cohort of other tools that are meant to harden your systems and user workstations from easy exploitation (malware tools, patch/upgrade tools, encryption tools, etc.)
What is more? All these tools, of course, come with their separate professional services that could, let’s face it, buy a few additional tools if needed.
What do you do at this point? How do you select the right combination of products that will give you the best value for money?
In this article, I hopefully can guide you on the right trajectory if you are a CIO/CISO/Product Manager, in your selection process for cybersecurity products that add value to your business.
Recommended approach & methodology for selecting products
- Understand your risk profile & prioritize your investments
Developing a risk profile ensures that you can categorize your IT assets and score them according to their potential impact on business processes if breached. Once you know your critical ‘gold’ assets, investing to protect those from both insider and outsider threats becomes easy if not straight-forward.
Most importantly, risk assessments should not be conducted as a one-off activity. Part of the Cybersecurity budget should go into a regular risk assessment program. This way, you can rebalance your cyber resilience strategy as needed. Furthermore, an understanding of the changing business needs, changing trends in the threat landscape, and new product innovations will help you stay on top of issues.
- Do not neglect basic controls
Although threats have evolved, organizations should not neglect basic protection. Implementing and applying tools that have successfully protected organizations in the past will ensure that you have basic protection. These basic controls: email filtering, web filtering, end-point protection, intrusion detection, and prevention tools, and other perimeter defense controls, should be covered first before moving to more complex tools and controls. After all, Maslow has taught us that to achieve more, you need to first ensure that your basic needs are covered.
- Gain visibility and insights
Perhaps the biggest piece of investment should be allocated to securing visibility through the deployment of a SIEM solution that will provide you with analytics-driven insights into what needs to be protected. With the right insights, you will make a lot of intelligent decisions, spending money where you should. Visibility should allow you to look everywhere for emanating threats including from third parties.
Selecting the tools that will give you the best value for money
Selecting a product from a group of similar products that promise the same control can be a daunting task. Most vendors today add a few additional features and functionality to help their products to sell. Should you be swayed into product conversations on the extra features they promise, you will most likely end up with a white elephant in your cohort of tools.
Your most likely selection matrices will include cost implications (initial capital & total cost of ownership), features, functionality and benefits, peer reviews & online recommendations from previous and existing users as well as advice from research and advisory groups like Gartner. These are all good. The reality, however, is that your selection criteria must answer the most essential question: “Is my organization well-protected with these tools?”
To answer this question, you need experience and the ability to continually test the tools against changing business and technical needs, defined by your updated risk score. It also means taking the necessary steps to outsource certain aspects of your cybersecurity program where there is a skills gap.
By carefully defining and prioritizing your product requirements according to your target risk profile, you are able to make more informed decisions about buying the right products and services that will fill the gaps identified in your target profile (See Figure 1: NIST RoadMap Target Profile)
Figure 1: NIST Roadmap Target Profile
The best value you can provide as a CIO/CISO/Product Manager to your organization is to track and monitor the investments made and to tell if they are delivering value. Continuously answering the question, “Are my tools protecting my organization as required?” will help you make the necessary decisions that will keep your organization safe.
About the author
Kwadwo Akomea-Agyin has performed as a product management and project management specialist in various capacities in three (3) industries- Telecommunications, FINTECH, and currently in ICT & Cybersecurity. He drives solutions to create value. He is also a member of IIPGH and a regular contributor to this page.
LinkedIn: Kwadwo Akomea-Agyin, PMP, MRes. | Email: firstname.lastname@example.org | Tel: +233544341374