Organizations today are realizing that cybersecurity threats are growing at a rapid pace. Every day we see multiple threat reports from cyber security vendors unveiling vulnerabilities, new threat actors, news tools, methods and techniques hackers are exploiting to execute attacks from ransomware and EDR to IMSI location issues and Denial of Service attacks. Despite being bombarded with so much information, it’s surprising that it still takes an average of 300 days for an organization to realize that they have been the victim of an attack. Especially, given the stakes are high where regulations such as GDPR that can lead to major fines and penalties, can impact public sentiment and destroy shareholder value very quickly. It has become a majority priority for board members - who are increasingly questioning CTO/CIOs to understand the business risk of these threats and how they will impact the bottom line.
For a long time, organizations outsourced a lot of their cyber security and risk management functions to specialized companies who have the resources, digital capabilities and threat intelligence to detect, remediate and respond to cyber threats. This has led to a fiercely competitive market of vendors who have multiple solutions to support customers.
However, increasing regulatory compliance, pressure from the board on ROI, and a huge talent shortage in the cyber security industry has led to many companies today moving to build their own cyber capabilities in vulnerability management via inhouse teams.
While the jury is still out on whether the best course of action is to build your own vs buying from other vendors, there is undoubtedly an acceleration in the self-build model concept - especially in the telecom industry. When looking to self-build, the customer is looking for three things: People, Process & Partnership. We call it the 3P model of cooperation between technology and customers.
People: Ensure that the organization has sign off from the board to set up an internal COE for a designated practice that establishes the governance model and has a focused team structure with clear roles and responsibilities. This team has to have a clear strategy for recruitment, retention and career development paths. Technology partners from the industry will play a very big role to ensure that the knowledge transfer continues over the coming years and is not just a one-time training module session. Recruitment of the right skills and certification process will be key. This perhaps could be a make or break on the build model Vs buy. The cost of recruitment, training and retention all have a role to play in the decision on whether a company wants to build or buy. In some cases, companies want to outsource whilst in others they want to invest in their inhouse teams to build their own capabilities. Either way it’s both a financial and strategic decision. No one knows which option is better as it depends on the individual company’s requirements and budget.
Process: Organizations often fail to understand the process element – the framework, KPI and execution will help ensure that risk is detected, remediated and responded all in real time. Regular internal reviews, keeping a close watch on the industry ecosystem, having the threat intelligence to predict where the next threats will originate from are all a critical part of the process element.
Partnership: The organizations that will achieve transformation change are those who pick and choose technology partners carefully and strategically. Ideally the partner will be a market leader in their field, who can help build a comprehensive threat model and has a expertise that is valuable to the customer. The ability to jointly collaborate and create the right solution that is specific to each customer is often undervalued. This is not about short-term gain but a long-term journey that both the partner and the customer have to run together.
The next few years are going to be exciting as customers build new capabilities around cloud, blockchain, vulnerability management, 5G Labs and co-create new ways of working within the industry. The jury is still out on which one is better……. Buy or Build