Be On The Money For The Next Cyber Security Investment

Admittedly, we tech people are often a little too excited about new and fancy tools.

As rightfully stated on the t shirt below, when under pressure, it is not uncommon to see CISOsgo "trigger happy" on new tools, especially after attending Gartner, vendor information session or any other conference.

Untitled picture.png

Harnessing on this demand, small vendors are popping up everywhere, major vendors go on shopping spree acquiring small vendors, brand them in the existing portfolio (and think about integration later).

To avoid situations, such as realising half million dollars of purchased tool suite may not live up to the downloaded datasheet 2 months before the project deadline, here are 2 principles to guide the right purchase decision that will help,

  • Maximise the likelihood of project success;
  • Provide the traceability back to business benefits, so that ROI can be articulated in the board report;
  • Act as an insurance if the project ever backfires (demonstrating that the investment has been thought through, though failed due to uncontrollable circumstances)

A Good Business Cases (Duh…)

Here "good" implies ticking following boxes.

  1. Answer the question "what's in for them (people who sign off the investment)" - bring together your arsenal of frameworks, risk assessment, SWOT, etc.
  2. Use data both industry and company specific data, be quantitative as possible;
  3. Apply company specific evidences, be qualitative but objective;
  4. Project ROI and rationalise the projection.

A Solutions Architecture

Yep, a solutions architecture. The solutions architecture that answers the questions of "why, what, how" in order not the other way around. The architecture also needs to look further than lines and boxes for the tools, but also people and processes elements.