One of the masters of irony is Scott Adams and the Dilbert cartoon series. They always give me a chuckle. He had a cartoon several years ago where the manager was sitting in a meeting and says, “we are going into the tablet computer business” then he says, “and by that I mean other companies will make the product and we’ll design the logo”, then he says “and by that I mean we’ll pay another company to design the logo for us.” Then one of his subordinates sitting next to him says “can we watch?” Funny stuff when you think about it, in our age of adding value.
I have seen this type of scenario unfold many times. And then think about the field sales force that is stuck having to sell some type of value based on this business model. It usually does not end well.
What We Can Do
So, in cybersecurity this begs the question. What can we do and what can we not do. I have talked about do it yourself security here. And I have talked plenty about what the responsibilities of an executive is and what he can and cannot do. I have also talked extensively about what kind of help you will need and when you will need it. And we will have some more to say about this soon.
But think to yourself what makes a good mix of a project be it cybersecurity or not. What is the right amount that needs to be done inside or outsourced? Who are the right players? Who are the wrong players? These are all important questions that should be addressed before embarking on a cybersecurity project.
Finding the Mix
Finding that right mix can be difficult at times. But look at your own cybersecurity staff or cybersecurity contractors you have working for you. Who is qualified who is just in the position because they were next? Then think about the critical functions that must be done inside and cannot be done by anyone else. Let’s start with executive decision making, that cannot be outsourced it has to be done from within. Your eyes and ears? These are the employees on the ground doing the work with the data every day. They cannot be outsourced. Only that employee locally at that particular position can be the sharpest eyes and ears to be alert for an attack.
You will need some type of in-house cybersecurity authority or sometimes a CISO or multiple cybersecurity authorities. This is critical. But when it comes to getting help either on a temporary basis until you can fill a position or even to complete a cybersecurity project yes outside help is important and many times essential. When you need to study how your current cybersecurity posture is working or failing outside help is mandatory. When you are formulating your cybersecurity policy outside help can be essential since they will have the outside perspective to see what internal folks cannot.
These are all important areas, but you can see there is a mix. The right mix will be different for each company. Just make sure you know what business you want to be in.