Welcome to The UltraTech Zone Sign in | Join | Help

Talking Out Loud with ASB

Views on Life, Technology and Everything, by ASB (aka Logik!)...

My Profile

Andrew S. Baker (ASB)


  • Platform: CS v2.1 SP2...

    Get a FREE phishing filter for your domain!

    Who links to my website?

    Pando Pro

Wise Security Investment Approaches

A holistic approach to information security needs to address a corporate strategy for buying or building solutions. Such a strategy will have an impact on how a company looks at staffing and technology investments.

There are two basic ways to look at major investments of information technology and information security: you can buy or you can build.


Option A: The BUY model

In this model, an organization selects industry standard tools and technology, and aims to hire above-average to guru-type employees who will integrate the technology into the corporate environment. The staff is reasonably interchangeable in this model, although technology costs are on the higher end for implementation. Ongoing maintenance costs are average.

Option B: The BUILD model

In this model, an organization hires the best and brightest, and uses software and/or hardware components to build custom solutions for the organization. This affords the greatest flexibility of tools, but requires higher staffing costs, and support and maintenance are tied to the staff for the full lifecycle of the solution. Staffing changes are a bit more traumatic to the organization, and knowledge transfer is more important than in the BUY model.

Both approaches have merit, but they impact the company’s cost structure in different ways. Option A puts more emphasis on purchasing the right tools. Option B puts more emphasis on hiring strong technologists who will build the right tools and frameworks for the organization. Either way, you always need to have good, dedicated people, but the specific skill sets required in our staff will differ for the BUY model vs. the BUILD model.

There is no *best* option, especially when you include factors like availability of skills, time to hire, competition from other companies, etc.  Not only is it valid to use either option, but it is valid to use a combination of both options.  A major constraint is the existing staff, and this often heavily influences the direction that an organization ultimately takes. Once the company has settled upon the model that will define the general direction of their investment strategy, they need to do two other things:

1. Identify the security risks facing the organization and prioritize their remediation.

2. Start simple with every investment, then evaluate for possible expansion after it has been implemented.

Identify Risks & Prioritize

It is almost impossible to resolve issues that are not known to exist, and it is extremely difficult to set priorities and make wise choices for the investment of time or money, so the identification of risks must be performed. It must also be updated regularly. A stale risk profile is in many ways much worse than a non-existent risk profile, as it can lead to a false sense of security.

Round One: Simple Solutions

Once risks have been identified and prioritized, there should be every attempt made to implement a solution that balances simplicity and thoroughness. It doesn’t matter whether the solution is being built or purchased, the goal is to get something useful in place that will address the key risks identified, but which is expected to be potentially replaced or expanded within 12-15 months.

Ideally, the initial deployment should take no more than 4-6 weeks, and should cover a minimum of 80% of the initially understood needs of the organization for the risk it is intended to address. Getting something in place quickly and cheaply will be of immediate benefit to the organization, and it will help expose which features are really needed by the organization vs. those which were only nice-to-haves.

For organizations employing the BUY model, it makes it much easier for them to evaluate the merits of the vendor feature lists that will be vying for the corporate budget.

For organizations employing the BUILD model, they can quickly get to work on another “Round One” project, and start putting the necessary team, budget and executive support in place for any “Round Two” projects which have been identified.

For SMBs that have a limited hierarchy and are not used to any sort of formality in solution procurement, embracing this strategy can be a very effective way to add some needed process maturity without becoming overly bureaucratic. The value of a size appropriate cost/benefit analysis, and the introduction of some process discipline into the planning, procurement and deployment methodology cannot be overstated for SMBs.

Remember: Enhance the security posture of your organization by assessing the needs and make-up of your business in order to select and implement the appropriate investment strategy.  Then, you can begin to mitigate your technology-focused business risks quickly and cost-effectively.

You can think of it as Agile Security, if you really want a buzzword to work with, but it is just as effective even without a cute name.  Don’t delay – get started today.

Share Post:
Anonymous comments are disabled

About Logik!

Andrew S. Baker aka ASB aka Logik!

Andrew S. Baker is a business-savvy, hands-on IT leader with expertise in mentoring people, mitigating risk, and integrating technology to drive innovation and maximize business results. He creates competitive advantage for organizations through effective IT leadership: implementation of processes and controls, and architecture of robust business solutions.

Mr. Baker has successfully led a number of high-performance technology teams in designing, deploying and maintaining secure, cost-effective computing environments for well-known companies, including Warner Music Group, The Princeton Review, Bear Stearns, About.com, and Lewco Securities.

For over a decade, Andrew has exhibited thought leadership on technology and business topics via mailing lists, technical forums, blogs, and professional networking groups, along with contributions to podcasts, webinars, and over 20 technical/business magazine articles. He also serves on several boards and committees for non-profit organizations, and within the Seventh-day Adventist church.

His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers, Family Life Ministries, Reading, Strategy/Role Playing games, and Professional Networking...

A summary of Andrew's current résumé is available here, and he can be reached on a variety of social and professional networks, including LinkedIn, Facebook and Twitter.