Cybersecurity After Dark | Episode 3

In Episode 3 of Cybersecurity After Dark, Sean, and Dan tackled a philosophical question from a cybersecurity professional named Guru (no pun intended) on how to know if you have the right cybersecurity solution. Apparently, according to Guru, nobody has the right solution; because if they did, there would be no breaches. 🤯

Sean and Dan conceded it’s impossible to prevent every single breach. But buyers and vendors can improve the odds by changing current standards in cybersecurity tech acquisition models. Check out their 4 takeaways below. 

Catch the full episode on YouTube! 

A better model for acquiring cybersecurity solutions

How can a company know if they have chosen the right cybersecurity solution? That’s the million-dollar question posed by Guru (aka Gurubaran) in the article “Why Businesses Need a New Cybersecurity Tech Acquisition Model.” The obvious metric is “all devices or networks are free from any security breaches.” But even huge, well-funded, technically sophisticated companies have had breaches.

While there are best practices for acquiring cybersecurity solutions, there is no quantitative, objective approach to examine the efficacy of a system. Most companies are left to scour the equivalent of “Yelp for IT” reviews, like TrustRadius, to get some sense of what works and what doesn’t. There are other issues as well: underused cybersecurity features, buying technologies without thorough internal evaluations of the existing system, etc. It’s high time for a new cybersecurity acquisition model!

Cybersecurity tech acquisition has become a “market for lemons”

While there are many innovative solutions, there are also many gimmicky, ineffective features and functions out there. According to the Debate Security report, most cybersecurity professionals are unable to differentiate between “good” or “bad” cybersecurity solutions. An alarming majority of organizations have little confidence in the effectiveness of the solutions they purchase. “We buy it, and then we cross our fingers and hope the technology will work,” said one CISO in the study.

The low trust and confidence in cybersecurity solutions is not surprising given the volume of breaches making national headlines. Obviously, cybersecurity leaders are ready for and need a new cybersecurity acquisition model. The answer lies in knowing what’s inside of your stack and making a decision based on what will work best for your enterprise. 

An economics problem, not a technology deficit

Guru holds that the problem with the current cybersecurity tech acquisition model is not with technology, it’s economics. Security firms and organizations ceaselessly develop new ways to address cyber threats and attacks. But vendors focus on peddling a product instead of a real solution to customers. Buyers become too focused on compliance while vendors try to cash in as much as possible in the ever-growing cybersecurity market demand.

This needs to stop.

Creating a new cybersecurity tech acquisition model

According to the Debate Security report, creating a new cybersecurity acquisition model means changing the dynamics between buyers and vendors. Technology offerings, product promotions, and stakeholder perspectives all should come into play during deliberation on potential cybersecurity technologies. Furthermore, the new model needs to focus on the following benefits: 

  • Greater cybersecurity effectiveness: Many businesses don’t fully understand their security risks and vulnerabilities. This piece is probably the most critical to guiding decisions on cybersecurity investments that serve the business’s interests and bottom line.
  • Meaningful technology evaluations: Establish common standards on what makes a product effective and optimized for specific use cases.  
  • Improved ability to set risk appetite: No company has an endless budget, so companies always set “risk appetite” or “what can we afford not to do.” This goes hand-in-hand with knowing what’s in your stack and guides smart security decisions. 
  • More informed security prioritization and differentiation: Vendors have to be transparent about the capabilities, capacities, and coverage of their security offerings. Not only does this help buyers make informed decisions, it also creates trust and customer loyalty.
  • Correlation between security spending and efficacy: If buyers and vendors are transparent with each other, the dissonance in the cybersecurity market will tone down. Ultimately, buyers will spend on the right solutions and protection that correlate with needs and risk factors.

Sean and Dan’s 4 Takeaways

Why do we buy cybersecurity solutions? To stop breaches – but we have a rising breach landscape. Therefore, nobody has the “right solution.” This is a deeply philosophical, but true statement. So, Sean and Dan dug into the reasons behind this dilemma. 

1.Tool churn

It’s not just about tool sprawl as much as tool churn. Due to the high rate of CISO and CSO turnover, organizations can go through several “new-fangled” tool implementations within a matter of a few months. The answer to the question, “Why are we using this?” is “Well, this worked at my last organization, so it will work here.” We bought these tools and we still had a breach. But maybe a better assertion is, “Are we implementing them correctly or to their full capacity?” “Do we need more training?”

2. Underutilized cybersecurity solutions

Cybersecurity solutions tend to be underutilized. According to Gartner, IT and operations tools are about 70-80 percent underutilized. It wouldn’t be a far-cry to assume that could be the case for cybersecurity solutions. Perhaps that is the heart of the problem. Companies don’t know how to measure the success of a security solution, if they have configured it correctly, implemented it to gain the most out of it, etc.

3. Breakdown silos between business and security teams

When it comes to understanding and quantifying vulnerabilities and risks, perhaps what companies need is to tear down the silos between the technology department and accounting. Sean and Dan think we need more business analysts buddying up with security teams. This merge of minds and skills could catalyze better conversations between buyers and vendors. 

4. Acquiring cybersecurity solutions starts with educated buyers

Buyers are so confused and inundated with calls from security vendors. They have a hard time understanding what’s “good”, “bad”, or what they even need for their environment. But this is not necessarily about demonizing vendors. They have a product and they need to get the word out about it.

What it boils down to is informed buying. The real way to improve the cybersecurity tech acquisition model is to ensure companies are informed enough to have a conversation with vendors that leads with, “Is this the solution that fulfills the need that we have?”

 

Catch the full details from Cybersecurity After Dark:

Watch the Episode

Nichole Kelly

Nichole Kelly

Vice President of Growth

Nichole Kelly brings over two decades of experience in growing organizations top line and bottom line revenue. As one of the leading marketing influencers she is the author of "How to Measure Social Media" and has traveled the world teaching marketers how to build and execute ROI-driven marketing strategies at every major marketing conference. Also an entrepreneur, Kelly was also the founder of SME Digital, a digital marketing agency that was sold to Renegade Marketing.

Kelly leads an active life of service and is the founder of The Bipolar Executive blog and podcast. This project is  designed to help shift the conversation around mental illness to one of mental wellness in Corporate America. 

Kelly holds a Bachelor’s Degree in Business Administration with a minor in Marketing from Saint Leo University.

Connect on my blog The Bipolar Executive

Connect on LinkedIn

Chris Schroeder

Vice President of Engineering, Co-Founder

Chris Schroeder has over 25 years of experience in large complex IT environments from the Fortune 500 to the federal government. Chris has an extensive technology background in mobility, infrastructure operations, and data analytics. Schroeder is a seasoned entrepreneur and co-founder of App47 and the Vice President of Engineering and co-founder of RealOps (sold to BMC).

Chris is an active volunteer in his community coaching boys and girls lacrosse, supporting high school STEM programs, and serving on the Pastoral Council. 

Schroeder holds a Bachelor’s Degree in Computer Science from Radford University and a Masters Degree in Technology Engineering from George Washington University.

Connect on LinkedIn

Sean McDermott

President & CEO, Founder

Sean McDermott’s curiosity for advancing technology began at his first job as a network engineer/architect installing and managing the first private internet for the U.S. Department of Justice. At a time when the internet was just taking off, McDermott was at the forefront and has continued to be on the cutting edge of technology leading Fortune 500 companies through the dot-com bust, 9/11 and the 2008 recession. Sean has over three decades of experience working with CIOs in the Fortune 500 to trail blaze innovation and protect the IT infrastructure of the largest commercial and federal organizations in the world. 

McDermott is a mission-driven, serial entrepreneur who founded Windward Consulting Group, RealOps, Inc. (sold to BMC), App47 and RedMonocle. He is also the founder of the Windward Foundation and Alzheimer’s Caregiver Alliance, an organization dedicated to easing the burden of caregiving for individuals and families touched by Alzheimer’s disease.

McDermott is a member of the Forbes Tech Council and has been featured in Security Boulevard, TechRepublic, IT Visionaries, APM Digest, Inside BigData, DevPro Journal, IT Toolbox and more. He  holds a Bachelor’s Degree in Electrical Engineering from Villanova University and a Masters in Engineering Management from The Catholic University of America. 

Connect on my blog Wheels up World 

Connect on LinkedIn

.