Your security stack needs more than just hammers
So we've drunk the security koolaid. We know that cybersecurity is a big and growing issue, and our clients need better security. We're onboard. And every MSP is building their Security Stack™ and trying to work out what's included.
But what do we include in our stack?
Most vendors are telling us that their software is the answer. Their tool, their hammer is what's needed for your stack. Their tool will make your clients safe, repel cybercriminals, end world hunger and make your hair look amazing. So obviously we'll include that in our stack.
Yay, one tool down - now what? More tools!
"Aah, but but but", I hear the vendors say - "there really are lots of different hammers for very different purposes. OUR Hammer is different, and it's essential for your toolkit." It may be a very special hammer with many lovely features and attributes, but by arguing hammering-efficiency and hammer-accuracy, the reality is that everyone is missing the point.
More than just hammers
Improving the security posture of a client needs a broader approach and a wider set of tools, processes and procedures. Most security tools in the market sit squarely in the Protection zone (eg in the NIST framework) - and there's almost nothing touching on identifying risks or threats, or on responding to incidents or recovering from them.
To a large extent, there's a lot more of a gray area in how to manage risk assessments, talk governance policy, get executive buy-in or to build out robust incident response plans vs rolling out a suite of technical tools.
Many of your technical staff (and perhaps you yourself?) will want to avoid the complexity and uncertainty and stick to the areas they know best - finding the best hammers they can find and deploying those software tools.
More than just hammers... but what else?
We need more tools in our kit than just hammers. So what should we add in? Is hammers plus screwdrivers enough? No? With pliers too? Still no? What do we need? How do we know when we have enough tools, and the right tools?
Recommended by LinkedIn
The answer depends in part in what you're trying to achieve, and how much of the experience/interaction with the client you want to manage.
So which tools, David, which tools?!
Well, I do have an answer to that. But unfortunately you'll have to wait a little while to hear it.
I'll share my thoughts here in two weeks, and I'll also be running a webinar for Pax8 Academy on this topic shortly after.
In the meantime, I'll leave you with this question. Apart from tools, what else would you need to build a house?
We know the builder is involved, but we also have architects and planners, and the demolition company, and the subcontractors and the suppliers. We need to work with the Local Council to make sure we are working within existing restrictions (council planning schemes, availability of electricity or gas services, height or size restrictions etc). We need someone to test that what got built matches up with what was planned; and then after it's built, we still need to maintain and protect it. All of those involved will have processes and procedures as well as their respective tools - and they all need to communicate with each other and with the client.
In all of that, who is looking out for the client? Who works to make sure it's all delivered on time and on budget, who settles the arguments with the vendors and subcontractors, who's aware of issues as soon as they come up? And most importantly who's making sure the client is getting what they need?
You can provide so much more value to a client (and get paid so much more money) if you change your viewpoint from being a tools-provider (subcontractor) to a whole solution-provider.
I'll return with my detailed take on this, and my suggestions on how to improve overall outcomes in 2 weeks. Do let me know any thoughts below!
Shoutout to Pax8 APAC Academy: James Davis , Nathan Hutchison , Maria Armstrong . And to others in Pax8 APAC who hopefully aren't trying to sell you hammers: Chris Sharp , James Bergl , Aidan Clifford , Elliot Seeto , Diana Drury , Grant Sheridan , Kevin Gritsch , Kris Eckstein , Kyle Menosky , Marco Chan , Matt Dewsnap , Craig Donovan and Dave Howden . and the one and only Matt Lee, CISSP, CCSP, CFR, PNPT
Agreed, altgough sometimes you already have the tools that can do the job, but are more complex or require a master tradesmen to operate them. So finding an updated version or a different type that provides the required. Outcome quicker is sometimes worth the investment. But also agree that there are so many components to managing the outcome and the risks, budget and what if items, that have nothing to do with the technical solution created. Great article.
Spot on, David. I'm keen to watch you build on this narrative as you're right, you need a plan, destination & a map to follow!
Love this. Well said.