Source: StaySafeOnline.org | Guest Author | June 20, 2016

Global organizations will spend $88 billion this year on cybersecurity, nearly doubling this investment to $170 billion by 2020. Yet, many organizations have a major blind spot: they believe that spending additional money on cybersecurity automatically leads to greater security and reduced risk. It is not unusual for an organization to deal with 30 to 40 different technology point solutions from different vendors, often within the same technology segment in the case of multiple business units. As a result, they spend more time and money than necessary. 

Unfortunately, organizations are not specifically thinking strategically: they are not looking across the enterprises to architect their overall approach, processes, teams and execution. Thus, they do not really know if their cybersecurity risk has been reduced. They are often purchasing technology point solutions from providers haphazardly, without understanding their existing technology stack and how these new solutions will fit with their overall cybersecurity risk management strategies and architecture.

However, an organization can eliminate or at least reduce its blind spot by using a formal, structured process for engaging technology solution vendors. This will also ensure it has the best vendors to support its cybersecurity strategy and architecture. While this process may differ somewhat by industry, it usually has the following seven key steps:

1. Establish a Baseline of Cybersecurity Spend and Risk

The organization should establish a cybersecurity risk and spend baseline that highlights the following: 1) Spend at the enterprise level and in each business unit, 2) which vendors provide the technology solutions and 3) which individuals in the organization are responsible for the spend. This information must be analyzed with an understanding of the organization’s cybersecurity risk posture (for example, relevant risk dimensions/drivers, understanding of probability and quantify impact, identification of markers and quantification of exposure). Obtaining this information will provide the fact base to understand where the organization is and what gaps, duplications and overlaps may exist.   

2. Segment Cybersecurity Firms and Develop Requirements

The organization should next determine what its cybersecurity requirements are for today and the near future, which begins with inventorying all assets and then mapping them against vendor services to ensure there are no gaps. If any gaps exist between these requirements, the organization should start considering how to close them.

This visibility will also enable the organization to identify which vendors provide the same solutions in different business units and whether each solution is offered on its own or as part of a vendor’s package of services. With this information, the organization should decide whether its solutions might be combined at the enterprise level or should remain where they are because they are unique to specific business units.

3. Profile and Rank Cybersecurity Vendor Capabilities

The organization should analyze its cybersecurity vendors’ capabilities to make sure they match its cybersecurity requirements and should address any identified gaps. It also should consider other potential vendors in the marketplace and analyze their capabilities.

4. Develop a Cybersecurity Sourcing Strategy

The organization should document its short and long-term strategies for selecting technology solutions providers having critical capabilities needed to close identified gaps. It should prepare and execute a strategic sourcing/outsourcing plan for each technology segment and prepare a strategy around the number of vendors needed. Then it should implement systems to track the progress and benefits of each vendor. 

5. Develop and Issue a Cybersecurity Request for Proposal (RFP)

Before inviting vendors to bid, the organization should develop the selection/evaluation criteria to be included on the RFP. The organization should state up front what it expects from each selected vendor on an operational level, and how it will measure the vendor’s success in performing services. It should clearly define these expectations in the operational level agreement (OLA), service level agreement (SLA) and key performance indicators (KPIs) issued for each vendor. It should issue a RFP to vendors on its Tier 1 listing, including incumbent suppliers, whose services and capabilities will be compared with those of other bidders. From these bidders, it will select the optimal combination of service providers for each technology segment. 

6. Award a Contract and Develop a Cybersecurity Implementation Plan

The organization must evaluate the bids and conduct any necessary additional reviews, including assessing the vendors’ relative capabilities, reputation, references and cost, and award the contract to selected suppliers. Before the vendors begin work, the organization should develop a cybersecurity implementation plan, clearly laying out what the vendors need to do to begin providing service to the organization.

7. Operationalize and Implement the Cybersecurity Plan

In the final step, the organization should appoint someone to actively manage and oversee the vendors. This manager will ensure new vendors have the time and assistance needed to get up to speed and, if necessary, oversee a smooth transition from outgoing vendors to new suppliers. As the vendors begin executing against the OLAs, SLAs and KPIs, the manager should update these agreements as necessary and hold suppliers accountable for abiding by their agreements and for delivering results.

As important as these seven steps are to overcoming a cybersecurity blind spot, they are only the beginning of achieving greater security and less risk. Most organizations struggle to both integrate and operate the many standalone solutions on an enterprise basis. To integrate them, companies often turn to existing IT platform providers orleading cybersecurity companies agnostic to leading-edge cybersecurity tools. Even this action may not be enough. 

The investment in technology tools should be the output, not the driver of an organization’s cybersecurity strategy. Good security starts with the development of an enterprise-wide cybersecurity strategy. Ultimately, ownership and responsibility for cybersecurity rest with an organization’s management, not third parties. Nevertheless, only by implementing a formal, structured process to hiring and integrating technology solutions suppliers can an organization eliminate (or at least reduce) its blind spot and obtain greater confidence that it is better managing its cybersecurity risks and vulnerabilities, while saving time, money and resources.

About the Authors
John Anderson is a senior partner with A.T. Kearney and the founder of the firm’s Public Sector, Aerospace and Defense Practice. Howard Steinman is a partner with A.T. Kearney and a leader in the firm's Public Sector, Aerospace and Defense Practice in North America.