Sourcing Cybersecurity: 7 key lessons
by Thomas Busking, managing consultant at Strivesource
Cybersecurity is an interesting space to be in. Rapid technology advancements drive the effectiveness and the threat of security simultaneously. But, having sourced cybersecurity for over a decade now, I experience that the procurement of cybersecurity is lacking behind. As cybersecurity needs a special approach, the same applies to the selection, contracting and vendor management of cybersecurity suppliers and solutions. To start, let me share 7 key lessons on sourcing cybersecurity.
1. Choose the right implementation partner
Security and its technologies are in many respects still a niche. The experience of many of the well known global implementation partners is limited or hugely exaggerated. This results in many cybersecurity tooling implementations being delayed or failing. Choosing the right implementation partner is key to successful deployment, pick the ones with a proven track record and deep knowledge of the technology. Challenge the incumbent suppliers that are often used in your company and focus on total cost over the course of a project instead of day rates.
2. Where to make use of Enterprise deals
Technology suppliers like to sell Enterprise deals and their pitch is usually that you will maximize the coverage of the respective security risk with it. But with Enterprise deals the key is value for money. Using such company wide deals to cover security technology gaps might tick the box on paper, but at a prohibitive cost and often not addressing the actual cybersecurity risks. Are Enterprise license deals always bad? No. In the area of Endpoint security or anti-Phishing, deploying the technology across your organization can be very effective. And with the right negotiation support Enterprise agreements can provide great value for money.
3. Make security at your vendors part of your cyber strategy
Your organization has invested a lot in building a cybersecurity practice, a well-equipped team, implementation of the right technologies, integrated with your business units. Then a data breach happens and you find out that it’s not coming from your well protected systems and processes, but from one of your suppliers. Sounds familiar? Vendor Security should be a key component of your information security strategy. Any company has at least several suppliers that process sensitive data and for non-sensitive personal data processing that number often runs into the hundreds. Include information security in contracts, track improvement plans at suppliers and conduct thorough checks for your critical suppliers to prevent data breaches at your suppliers.
4. Finding the best solution in an emerging cyber security market
The supply market in cybersecurity is changing rapidly, being shaken up on a quarterly basis. Start-ups in security turn into scale ups and scale ups turn into mature businesses. Consolidation is happening, but at a slower pace than the entrance of new challengers. Picking the solution that has the best capabilities, but also ability to keep up is challenging to enterprises. Having strong expertise in the security supply market is therefore a strong advantage.
5. Standard does not always suit your company
Your company is special. It’s what makes you profitable or might prevent you from becoming more profitable. Your company has special processes, specific integrations, a legacy landscape of custom technologies unique in the world. So as much as we’d like it, standard does not always work. This is especially true for information security, you need specific threat intelligence, customized rules adapted to your organization and log data analysis in light of your niche business. Properly addressing this in your supplier selection will secure the right solution for your special situation.
6. Using ‘make or buy‘ in your cyber security strategy
What is your competitive advantage as a security organization? Which data or products are key to protect? Invest in expertise that is critical to your industry or intellectual property. Outsource what the market does very well and what is difficult to build up yourself. It is impossible to build up the same threat or data analytics as some of the key providers have, just as you can’t replicate the sheer number of analysts. Focus on building up the niche expertise for your organization and source the rest.
7. Maximizing value for money
Use competition to source your suppliers. Apply smart negotiation and contracting tactics. Deploy efficiently and maximize value by managing vendors in your landscape. Easier said than done, there will almost always be value left at the table. Make use of experts in the field to reach optimal results, presenting you with the best value for money you can get.
Strivesource has a proven track record on Cyber Security dealmaking, sourcing strategies, cost benchmarking and in depth negotiation expertise. We can support you with creating your sourcing plan, negotiation support or getting more value out of your Cyber Security contracts and licenses. Contact our Strivesource lead now.
Thomas.Busking@strivesource.com +31 6 55483185