Organizations need to have an overarching corporate strategy for staffing and product/service acquisition if they expect to maintain a holistic approach to information security & technology procurement. A key question that needs to be answered is: Build or Buy?
Many organizations – especially smaller organizations – take a one-off approach to acquire the hardware, software and services that they need throughout the year. After discovering a need, they make a short-term decision about the need in question without necessarily giving any significant thought to how this decision fits within a larger framework.
Even when major investments are being entertained, there may be no consideration given to how this purchase will impact subsequent purchases, or integrate with previous ones. There are, however, some serious implications that can come into play for an organization based on what type of strategy they pursue – whether deliberately or due to convenience/inertia.
Security and technology procurement
Option A: the BUY model
In this model, an organization selects industry standard tools and technology, and aims to hire above-average to guru-type employees who will integrate the technology into the necessary environments, whether corporate or customer-facing. The staff is reasonably interchangeable in this model, although technology costs are on the higher end for implementation. And “staff” can include a mix of full-time employees and contractors. Ongoing maintenance costs are average for this model.
This Wisconsin manufacturer needed to modernize its IT infrastructure to support rapid business growth.
Discover what they didOption B: the BUILD model
In this model, an organization hires the best and brightest, and uses software and/or hardware components to build custom solutions for the organization. This affords the greatest flexibility of tools, but requires higher staffing costs, and support and maintenance are tied to the staff for the full lifecycle of the solution. Staffing changes are a bit more traumatic to the organization, and knowledge transfer is more important than in the BUY model. The option for contractors is still present, of course, but key employees are likely to be full-time staffers. The initial cost for hardware and software acquisition is often lower in this model.
Both approaches have merit, but they impact the company’s cost structure in different ways. Option A puts more emphasis on purchasing the right tools. Option B puts more emphasis on hiring strong technologists who will build the right tools. You always need good, dedicated people, but the skill sets required will be different for the BUY model than the BUILD model.
Either option is valid, so an organization is not obligated to use only one method to the exclusion of the other, but the staff that is in place will have an impact on which approach is easier to implement. Once an organization has settled upon the model that will define the general direction of their investment strategy, they need to do two other things:
- Identify the security risks facing the organization and prioritize
- Start simple with every investment, then evaluate for possible expansion
Identify risks and prioritize
It is almost impossible to resolve issues that are not known to exist, and it is extremely difficult to set priorities and make wise choices for the investment of time or money, so the identification of risks must be performed. And the list of risks must be updated regularly. A stale risk profile is in many ways worse than a non-existent risk profile, as it can lead to a false sense of security.
Round one: simple solutions
Once risks have been identified and prioritized, there should be every attempt made to implement a Security & Technology Procurement solution that balances simplicity and thoroughness. It doesn’t matter whether the solution is being built or purchased, the goal is to get something useful in place that will address the key risks identified, but which is expected to be potentially replaced in 12-15 months.
Ideally, the initial deployment should take no more than 4-6 weeks, and should cover a minimum of 80% of the initially understood needs of the organization for the risk it is intended to address. Getting something in place quickly and cheaply will be of immediate benefit to the organization, and it will help expose which features are really needed by the organization vs those which were only nice-to-haves.
For organizations employing the BUY model, it makes it much easier for them to evaluate the merits of the vendor feature lists that will be vying for the corporate budget.
For organizations employing the BUILD model, they can quickly get to work on another round one project, and start putting the necessary team, budget and executive support in place for any round two projects.
For SMBs that have a limited hierarchy and are not used to any sort of formality in technology procurement, embracing this strategy can be a very effective way to add some needed process maturity without becoming overly bureaucratic. The value of a size appropriate cost/benefit analysis, and the introduction of some process discipline into the planning, procurement and deployment methodology cannot be overstated for SMBs.
Select an investment strategy to control your costs while obtaining real security benefits in a timely fashion.
