Making the right decisions in cybersecurity is critical to business today. If you make cybersecurity decisions for your company, it can be challenging to evaluate whether a solution meets your needs. Based on conversations with our clients, they look at three factors when making an investment in cybersecurity: Time, Money & Risk.
This post will focus on helping companies build a framework, around time & money, when purchasing cybersecurity and will help you become better buyers by: (a) understanding what option(s) works best for your company size and maturity; and (b) learning how to quantify time & money – asking better questions.
All companies should look at four options when building out a cyber practice and explore the right fit for them:
1. In-house option: purchase prevention technologies, hire people & build processes;
Best suited for: Large Enterprise (5,000+ employees);
2. MSS option: purchase prevention technologies and have security companies manage this tech with their people and processes;
Best suited for: Medium & Large Enterprise (1,500+ employees);
3. MDR option – purchase a platform from a security company with its own technology stack and have people and processes to manage it. Provides a holistic perspective to security;
Best suited for: SMBs (<250 employees with critical systems) and SMEs (250-2500);
4. “Do Nothing” – keep their current set-up, as is;
Best suited for: companies that have not evaluated/correctly evaluated the risks they face from cybersecurity threats and vulnerabilities;
The “Do Nothing” option is a choice that companies make everyday. This happens because companies are okay with the status quo, they feel “secure enough” with their Firewall and AV or they do not think they are a target. No matter what size your company is, Hackers will hit you with network attacks, malware, and/or exfiltration – from large enterprises to SMEs to SMBs. Factors like differing budgets can mean SMEs end up having gaps and this makes it easier for hackers to get in the door. Hackers are like burglars, they will find the easiest way in the door; and if companies leave the door unlocked or windows open, they will walk right in.
The questions below will help you quantify time and money when making cybersecurity investments:
- Are we utilizing our people’s time effectively?
- How much time do our people currently spend on cybersecurity tasks that will be replaced with the investment we make?
- Can we shorten our time to value (shorter deployments, faster information and reporting)?
- How long will integrations and onboarding take?
- Are we automating by purchasing the solution (less internal labour spent on tasks)?
- Can we spend less money on people by purchasing this solution (hint: people and tech) and how much?
- Do we need 24/7 capabilities and if so, do we have enough people to accomplish this (3 analysts with 8-hour shifts ongoing)?
- Do we have the people to manage the prevention technologies that we are purchasing, and if not, would it make financial sense to outsource this function?
- Will the time spent on integrations and onboarding create hidden costs?
- If we do not purchase and get hit, what would our financial penalties be?
- If we do not purchase and get hit, would we lose customers?
There are many questions to ask, the above ones will be a great starting point and you will be ahead of a lot of the companies out there. The next article (coming soon) will talk about how to build a business case for your board, focusing on all three viable options – In-house, MSS, and MDR.