*Credits – This article is the result of an adhoc discussion between @Vinod, @sivanathan and myself over social media. *
It starts with the question – does cybersecurity have to be expensive? And we both chipped in on our viewpoints and how it works. This article is a distillation of that discussion and some additional thoughts I had, which I thought would be beneficial to the readers.
In hindsight, the discussion (while the core focus is cybersecurity, is also broadly applicable to technology, or whichever part of it). You might see some resemblance, thought the example and focus would be primarily on cybersecurity.
The important fact – Numbers
IBM reported that the spending on cybersecurity has gone up to USD 4.88 million in their recent report. Staggering, to say the least. I remember, while working in the Financial Sector, we had a 8 digit budget specifically for this purpose, but all encompassing (yes, it includes CAPEX and OPEX). And without fail, we finish the amount timely because, there’s simply a lot to do. Not forgetting that the implementation will cover multiple countries, which will impact regulatory compliance matters.
With great budget comes even great scrutiny, audit and responsibility!
Spending it
Go into any company, you’d find there’s always a gap. An issue, or you’re just hired because there was a breach. Or the regulator just introduced new requirements which requires technological intervention as part of cyber risk mitigation. Or you’re on an exploratory phase to identity the underlying issues and need to show the reason for your hiring (hence justifying your salary).
Now that you have your shopping list, you need to propose a budget. How do you get the number? Most organization’s procurement process has the process for it, called Request for Proposal/Quotation, which gives you an idea of what the cost might entail.
Commercial?
The default option is always commercial. Why? You buy a product, it comes with support. So if anything breaks, you have someone you can shout at (I know some people do this because if they don’t, they might miss their bonus around the corner). In most infrastructure purchases, the purchase price often includes first year support as part of purchase price. It’s new, you may not have full grasp and if there is an issue, or you need the latest patch, you can ask for it (I’ll cover patching later).
Vendors have their own hierarchy. Those who belong at the “elite” quadrant or section of the analyst report (who makes a killing producing and selling these reports, as well as getting vendors to cough up the dough for the “right placement”), gets better sales opportunity (I had this problem, I have to show the solution I get is analyst report favourable and yet get shot down because the price is so high). So, if you want mature product with all the bells and whistles, you better pony up. Cheapest amongst the elite only means those who drops it because the country manager is desperate for sales and willing to shove in some marketing budget into it.
Open Source – or Pau Ka liao (PKL)!
Some organization focuses on “getting work done”. I’ll get you the hardware, the rest you manage. I’ve been in that situation. Ironically a firewall I purpose built ran in an ISP for 11 years. They decommissioned it because I didn’t leave behind the kernel configuration (custom made kernel), and I had left many many years. Sounds exciting, with the current maturity of Open Source and availability ot many packaged purpose built appliance images?
For some it’s a dream come true. Putting your stuff out in the open to see that it works. Been there, done that. And even till today, at a senior level when I attend interview for CISO I kept being asked whether I am hands on… Not sure if I would want that or the fact that the company is looking for an all-in-one scapegoat or too cheap to afford a proper team. (hint: asking for a ciso role to be hands on will hint that you are expecting the person to do everything, and not something a ciso would do. Just like expecting a CEO to install Windows on a PC, well he is hired for the company too, right?)
Where’s the catch?
In both scenarios, the risks are the same. Only difference is the person you shout at. I’ll explain.
Cost
When I talk about cost, the first thing that comes to mind is how much money goes out. That is true, but bear in mind, time is a critical cost.
How does time differ?
In commercial arrangements, the support contract comes with level of support. E.g. you can say – follow regulator’s requirements – i.e. first response on site within 2 hours, critical resolution within SLA, with spares available for immediate restoration. For this, as I mentioned earlier, be prepared to cough up. Time to restore will be much shorter, support contract essentially is transference of risk to vendors to ensure they are on their A game all the time.
Good news, you just have to be a vendor manager. I know a lot of “engineer” titled people whom full time job is to be a vendor manager. Sometimes I wonder if I really need an experienced person to be a vendor manager or just hire a bunch of fresh grads to do the same pencil pushing.
But then, not all organizations can go down that path.
For those kan-cheong type organizations, well, you get the luxury of lower cost, but you need 2 important component. The first, a sufficiently mature solution or the ability of someone in the team to conjure up a solution mature enough to support the organization. Secondly, the ability I mentioned earlier, can only be found in skilled worker. Which is scarce, and you may need to pay more to hire good people.
What was it about something cheap vs good?
Hiring good people is one thing. Retaining skills, is another. You’d have to be able to deal with multiple God-like personalities who ends up dictating terms of work. You need people who knows stuff (or the other S word) and knows how to do it. Experienced in building and maintaining stuff.
Technology Debt
Technology debt hits both commercial and PKL solutions. From a commercial point of view its rather simple. Want the latest and greatest? Upgrade with a cost tagged to it. For PKL solutions, lets hope that the engineer decides to live out his/her/their live in the same company not demanding for a raise or even a bonus until they retire…. (RIGHT!)
So why the commercial or expensive choice?
The reasons laid out before. Business needs to run, whether the staff is there or someone has replaced them. Paying for support, makes it much easier than managing people (hence the push for some organizations to outsource, and then light bulb glows and its insource again… sheesh!). Business doesn’t get held ransom by some star employee who demands constant attention and raise. Business owners can (somewhat) sleep peacefully knowing that the problem had been solved by throwing money at it (which seems to be the easy way out). And if something breaks, a neck to choke, a vendor to replace and a blame to deflect. All is well in the well!
The cheaper option exists. But is it truly cheaper? I honestly don’t think so. Imagine if you have to bring up a critical service, you’re hit with a security vulnerability, no patch available and if you bring up the server it goes back down because you get hit again and again. The software producer doesn’t have time to listen to your whining or produce the fix and you forgot how to code after leaving uni aeons ago… If your business accords you with the leeway and “get-out-of-jail” card, then maybe. But then now the whole company runs off your back. Ego booster for some, high blood pressure medication for others.
Is there even a conclusion?
This is my favorite conclusion rehashed time and time again.
It depends. Yes, it always depends. Business needs to make decision on which direction to go to. And understand both the visible and hidden costs.
Reference
[1] IBM - https://www.ibm.com/reports/data-breach