Cybersecurity Services – Responsive or Responsible?

Nobody can deny that the business of cybersecurity has become one of the hottest and in-demand segments in the IT marketplace. It is clear that the criminal element can conduct their activities globally with ease and little chance of apprehension. In a rapidly growing and evolving digital revolution the future is likely to accelerate risks and threats. More and more of our daily corporate and personal lives are going to rely on embedded and Internet of Things (IOT) devices to the point where any disruption can result in not just inconvenience, financial loss, but a threat to life.

The entrepreneur in many sees this as a beckoning opportunity to enter this business space with a low chance of failure due to high demand. Speciality start-ups who have a visionary, and some bright technical support can engineer a breakthrough software solution, whereas many established service-oriented businesses either have, or will have their Business Development organization develop and execute strategy to extend the scope of their business to cybersecurity.

But what is the likely governance and standards response as there are many entrants into this market whose entry is merely opportunistic, rather than responsible? As mentioned, errors in performance can be catastrophic. While there may be certifications such as CISSP, CHS, and CISA, quite valid, these apply to individual practitioners and only in one specific part of the cybersecurity service, namely Attack and Penetration Testing and similar activities under many different names. It’s also notable there is high demand and a shortage of this talent and consequently has a significant price tag attached. The knowledge base required is also not static. The hackers learn new tricks at a rate that is alarming. It’s easy to understand that under these pressures there will be some service providers whose claims of excellence are without substance.

So, what is a customer to do? Is it a situation of “caveat emptor”, or buyer beware? Does it require a government bureaucrat, whose cybersecurity knowledge is only limited by the amount of paper they can produce to set performance standards? Does it require the customer to become as knowledgeable as the supplier? Customer references are also not an option. What business is willing to publicly reveal that they have been a victim of a cybercrime or what vulnerabilities have been detected in their infrastructure? Even big consulting companies and Managed Service Supplier brand names are not reliable. They too can establish a “cybersecurity division” to either harvest a pent-up demand in their existing client base or as a defensive measure to lock out competition that may be a threat.

It is therefore up to the customer to validate the qualifications of the prospective supplier. This isn’t a simple matter when one considers that the knowledge required to do so would obviate the need for the service. However, a few logical considerations would certainly weed out the most obvious losers.

As mentioned earlier, the demand for the qualified is high and availability is low. If the prospective supplier is ready to roll with little advance notice and has people “standing by”, one should wonder why. It would make little business sense for them to have an expensive idle bench, or little work on the board. The service is work-intensive, detailed and time consuming. It requires serious resource planning and demands high utilization. Smart people in this business don’t stay idle long and will move to where there is action and excitement. They thrive on challenges and outsmarting the newest and smartest hackers. The customer may feel that their need is urgent, but in this situation, the solution may be inadequate to the need.

Cybersecurity service solutions are complicated. Every customer infrastructure and network landscape, cloud or on-premises is different. Operating systems, database management software, web services, applications are all very specific and tailored and likely have evolved through many generations and releases to what exists today. Depending on discipline, even the inventory of what is deployed is frequently uncertain. Without a careful analysis and scope determination, no service supplier should profess to deliver a credible penetration test and certainly not on a credible schedule and at a cost even close to the quote.

Service excellence takes years of practice and experience. This creates efficiencies through repetition. A quick elimination of the “usual suspects” that are the earmarks of a wise practitioner are the most effective at containing scope and cost. This allows for attention to the hard to detect or the more recent threat vectors that the less experienced will also be likely to miss. When the supplier is new to the business, and yes, they all deserve a fair chance, be sure to also manage your expectations and be prepared to manage your supplier.

Cyberthreat audits and reviews need to be repeated. Today’s or the most recent will not detect or avert ones developed by hackers or flaws in software releases six months from now. The message here is clear. Your cybersecurity service supplier is a relationship, not a “drive-by”. If you didn’t like them the first time, chances are as second date will be equally unsatisfying. However, if you did, they are familiar with your solution set and possibly the critical needs of your business. Unless there have been changes, there are assignment efficiencies by not having to examine rooms in your house that don’t need it. This is an opportunity to either contain cost, or better yet dig deeper to mitigate security risks in other areas of your business.

In conclusion, I expect that none of these points mentioned require you as a customer to become a cybersecurity expert to choose wisely and manage responsibly. All the counsel given is directly translatable to everyday sound business practices that are familiar and are already part of anyone with sound business acumen. Armed with this confidence, getting qualified cybersecurity service should no longer be a need unfulfilled. Closing as this article opened, you cannot deny the service is needed in your business. If you have avoided paying attention to it because selection process was obscure, that should no longer be the case.