What is the perfect cyber security firm? What does it offer?
This was a question asked of me at a recent talk with start-ups and people looking to get into the cyber security market.
My initial response was that "I’m not qualified to answer that" but me being me (you would understand if you ever saw one of my talks) I answered the question.
First there is no such thing as a cyber-security firm because that assumes the firm is engaged in protecting "cyber" and after 15+ years I’m not sure what a "cyber" is.
A firm dedicated to the protection of information is a different animal. Such a company has to address several different client requirements to include:
- Protect the data
- Don't slow down business
- Educate the employees
- React to breaches
- Find the bad guys
- Explain how it the attack happened
- Fix it
- Save the client money
Most companies in the "cyber" security space focus on the "React to breaches" business as cyber breaches are no longer a matter of if but when and how many times. For many this is a great money making model and has been supported by mandatory audits, reporting requirements and legal risks.
However, that approach is limiting and given the number of new security related companies joining the mix, good or bad, the profit margin shrinks. Incident response relies on people/companies not knowing how or not having the tools to respond themselves, which is simply no longer the case.
Other firms sell equipment, software, hard ware, or even claim to manage the whole security world for you but again this is limited. Equipment and intel is only as good as the people using it. Just as a managed solution will require in house actions by the client or it is a pointless service. (Lack of employee action is always blamed on the service provider). In addition, if you do not understand the business you are selling into, you do not understand which risks on the threat matrix really apply to them or how employees will circumvent your “fix”.
The firms that will survive and expand need to change their focus.
Cyber/Information security needs to focus on information management first. What information do you have, why, who has access and how do you know.
Understanding the business implications of information and the security apparatus are equally if not more important that what type of firewall or IDS/IPS system is in place.
Clients do not often realize these two key elements as the backgrounds and educations of those in charge are narrowed to specific fields such as IT, Sales, Marketing, etc. Security touches all of those and is often a revenue generator for each if management and business principles are applied.
So back to the question, the perfect Information Security firm would address all of the client needs starting with a business understanding and information management focus, not a sell my limited solution.
The firm will offer threat intel that highlights the viable client risks amongst those threats. This information can be offered at low cost, as it is really a relationship builder.
Pro-active security assessments that highlight potential issues based on an understanding of the data controlled the access to it, the monitoring and the most importantly the business itself is the growing trend. Companies need to know the risks in a language they understand so they can make informed decisions on how to address the risks.
Education or awareness programs go hand in hand with proactive assessments. These programs need to be tailored to the audience and personal in nature. In the "cyber" world, as it is misunderstood by most, personal relevance is the key to building secure practices. You learn to lock your doors because you do not want to be robbed not because your employer told you to!
Incident Response needs to give way to Incident Management, the response is first 24-48 hours after that management starts, and this includes the investigation, remediation, communications (internal and external) and resiliency. Any consultancy firm needs to be able to walk their client through the whole issue and not just air drop in, do some forensics and disappear.
Managed Services is a new a tricky offering because effectiveness requires spending time understanding the clients’ business processes and procedures rather than just applying some generic filters to the monitoring. Clients are looking for a turnkey solution but unless the firm is handling five other companies in the same industry, the solution needs to be bespoke. In addition, managed services rely on a competent internal client resource to act on the information being provided. Clients need to be educated that a managed solution only works if the company is prepared to react to situations.
Remediation and Resilience are the new buzzwords because we all know "cyber" incidents occur and you have to be able to bounce back. Companies need sounding boards to in essence hold their hands and get them back to fighting strength. A firm that can offer their clients that sympathetic ear without gouging them on price will see return business. Offering general consulting contracts where the client can call anytime over the course of the year at a fixed cost per hour is one way to address this.
In my opinion, the perfect "Cyber" Security firm is proactive before the incident, responsive to the incident and reactive, post incident. Above all else, the consultancy business is based on personal relationships where you understand the client, their needs and what they want:
- Protect the data
- Don't slow down business
- Educate the employees
- React to breaches
- Find the bad guys
- Explain how it the attack happened
- Fix it
- Save them money
Even if they do not.
