A major leadership failure in Cybersecurity is l buying tools first then figuring out where they fit and how to use them. That’s super backwards. Here’s what I would do instead.
Plan first, buy & implement second. I’m going to cover just the planning part this week. Next week we will talk about buying and implementing.
Because honestly, implementation is where a lot of security teams go wrong. Let’s get into it…
1 - Plan First
“The time to have a plan is before you enter the woods.”
There’s good reason for this. If you don’t know where you’re going then any route will take you there.
But when it comes to security, taking any route means you’re making arbitrary decisions (rolling the dice) that may or may not align with your organizations business goals not to mention your Security program goals.
Here’s my framework I run through when I’m shopping around for new tools:
Identify the problem you’re trying to solve. Don’t be afraid to spend some time here and with your team to truly figure out what problem(s) you’re trying to tackle. Once you know this, finding solutions that fit becomes much easier.
Identify & involve stakeholders. I almost put this as number 1 but I firmly believe you have to start with the problem first. This is vitally important. If you buy a tool that impacts stakeholders outside IT and it’s the first time they are hearing or seeing it, there will be frustrations as a result. The best time to involve stakeholders is at the beginning, during the planning stages. These stakeholders can actually provide insights on the tools, features and implementation work. Get them involved early.
Identify the core features you need. Think at minimum what are the features of xyz product that at minimum you need to have.
Identify the “nice to have” features. These are the features that are not hard requirements but would be nice if you could get them and stay in budget.
Determine your ability to implement. This means that you have thought about and planned for the effort and resources involved with that new tool. Do you need to rip out an existing tool first? Do you need professional services support from the vendor? Do you have a long enough window of time to implement this new tool? Will your team need to be trained on this new tool? All of this should be discussed and thought about prior to making any purchasing decisions.
Determine your budget. Yes we all have budgets and no matter how amazing a security tool is, if it bankrupts you, you no longer have anything to protect because you’re out of business. Budgets can be good bartering chips but also they help you stay within the bounds of what’s feasible, so you don’t go looking at tools that are way out of your price range.
There’s a lot to consider when it comes to buying and implementing new tools in your environment.
If you’re buying a tool that involves any kind of vendor sales cycle, then you should be planning and preparing adequately.
Avoid the temptation to pull the trigger too quickly before you’ve gone through these steps.
You’ll thank yourself later.
All the best
Spencer Alessi