How to Decide Whether to Update or Replace tools in your cyber environment.
If you work in IT or cybersecurity, you’ve likely sat in on a number of debates about enhancing or replacing systems. Security issues, compliance requirements, and financial factors (including cyber insurance) all combine to make for a challenging environment on the best days, and when a system is perceived as a barrier to progress it’s very common for frustration to boil over into a desire to tear out the offending solution and replace it with something new. But that instinct can set an organization back time and money.
It’s easy to be enticed into the idea that some shiny new thing will solve all your problems – which it may – but it’s often worth at least exploring whether there’s an easier and less expensive option. Far too often I’ve seen or heard of perfectly good solutions being thrown out with the proverbial bath water simply because they were misunderstood, misconfigured, or mismanaged.
My experience has shown that a full rip and replace is rarely warranted, and in this blog I want to share how I approach systems evaluation to give you a three-step process on how to look before you rip.
One of the most common activities Atlantic Data Security’s cybersecurity consultants perform is to provide a second opinion for a client trying to solve a technology challenge. The questions we ask during our evaluation phase are:
• What is the challenge the organization is facing?
• What is the team and vendor(s)’ experience with solving that challenge?
• What solutions are in place that currently (or could) address the challenge?
Your goal during the evaluation phase is to understand the extent of the problem, inventory what resources exist to address the problem (staff capabilities, vendor expertise, software, hardware, etc.) and outline next steps for investigation.
A proper evaluation phase generates a number of questions and follow-ups that should be addressed during a detailed investigation.
It’s not uncommon for an overworked, understaffed IT team to lack full awareness of the capabilities of its existing systems and vendors. Your goal during your investigation is to confirm whether or not a solution to the challenge potentially exists among your organization’s available resources. Generally, there are three avenues to investigate at this stage:
• Staff expertise: It’s not uncommon for an administrator to configure an environment to their preferences, then move to another company and leave their replacement unfamiliar with an existing system. On the other end of the spectrum, many organizations have in-house experts on a number of tools who may not be aware that a challenge the tool could solve is being experienced by another business unit.
• Vendor expertise: Vendors possess a wealth of knowledge in a number of solution areas, but tend to suffer from two issues:
o They have been pigeon-holed by their customer as only capable of delivering in the particular area they were initially selected to provide
o They became lax in their execution, and haven’t been as proactive as they could be in helping solve problems
The vendor relationship requires ongoing care and feeding from both parties, and a discussion about the organization’s challenge with incumbent vendors can be a great way to identify solutions that the organization may not have known existed.
• Product expertise: Products tend to grow more complex over time. In a market with hundreds of constantly updated cybersecurity tools, only the rarest of organizations fully understands all features and capabilities available through its software and hardware. This situation is especially true with more tenured tools, that may be running on an older version or have had numerous upgrades and enhancements released that no one inside the organization was aware of.
As an example, next gen firewalls are much more capable at providing network security than the same products were just a few years ago. An administrator looking for application control or active intrusion prevention may not even be aware that their existing firewall (or vendor add-ons) can provide these features.
At the conclusion of your investigation, you should have everything you need to make a recommendation to your decision makers. And when you do, you want to gather the pros and cons of each potential path in the areas below.
• Staff Learning Curve: building expertise takes time, and time allocated to training will degrade performance in other areas until the team is fully up to speed. In general, the learning curve is shorter for existing systems than new tools.
• Cost: Every solution carries a cost. While licensing models and existing contracts may make particular options more or less attractive, it’s important to factor in softer costs as well. If you’re considering a new solution, don’t forget to include the opportunity cost lost during evaluation periods that can be quite lengthy.
• Business Impact: Upgrades and migrations can affect uptime, staff capacity, and other business operations. It’s important to document the potential business impact on critical operations in order to make your decision makers understand how the business will be affected by your proposed changes.
• Time to Delivery: How critical is your challenge? If you need a solution yesterday or you can it wait a year, how does that affect your decision. Keep in mind that managerial patience with initiatives that run over time and budget tends to run thin, and can be difficult to defend when what was promised was greater efficiency.
I hope the above has helped you understand how to decide whether to repair or replace your cybersecurity tools. If you’re struggling with a challenging aspect of your technology, please contact Atlantic Data Security today.
Authored by: Eric Anderson
Cybersecurity Architect, Instructor, and Evangelist
Eric is a 35-year veteran of the technology industry, with the last 25 of that focused on cybersecurity. After having served in just about every technical capacity from coding to customer service, in both pre and post sales, he currently spends the majority of his time working with clients to solve their security challenges. Combining creative thinking and sympathetic understanding of customer issues and motivations, he architects solutions to difficult problems while fostering deeper comprehension with those he works with and teaches.