Organizations today, even those not related to "tech", all have a need for cybersecurity. Regardless of your industry vertical, if you have email, a website, a phone system, or even just have people using computers, cybersecurity is needed at some level or another to protect your ability to do business.
Strategy first
What is your cybersecurity strategy? Every organization has unique needs, regulatory requirements, budgets, and priorities. Every organization needs to go through the process to understand each of these and create a roadmap for how they are going to protect themselves.
There are many varieties of security products/technologies out there. Understanding what your organization needs is a daunting task. And just buying the technology doesn't suddenly make your organization protected. It needs to be implemented and maintained, it needs to integrate with other technologies and processes, and it needs to address your organization's needs without itself becoming an impediment to doing business. Do you outsource or do this in-house?
Planning your next 2-3 years means you are making purchasing decisions and process changes that are aligned together to build a solid program and lowering the risk that your organization will be in the headlines for the wrong reasons. This is where using trusted advisors can help.
What is a trusted advisor?
Trusted advisors come in many different roles depending on your needs. They might be:
- An assessor that comes in and helps identify gaps (e.g. lack of consistent patching on servers) and helps you determine how to close them.
- Someone that helps you get your organization aligned to specific security frameworks or regulations (e.g. HIPAA/HITRUST, PCI, ISO 27002, NIST CSF) for compliance and the ability to win contracts from Fortune 500 companies.
- An individual that supports a CISO or Director of Security helping out as a sounding board to flesh out ideas and help identify costs and risks. They may even help you write the business case and draft the initial presentation you give to your board or manager to ensure adequate funding.
- Someone who acts as an educator and can help you prepare for an external audit, review and enhance training curriculum, and help people understand their roles, especially in organizations where people wear many hats (e.g., help define expectations)
Unlike a technologist (someone who helps implement a technology, e.g., install and maintain a firewall), a trusted advisor works holistically to help align technologies and a cybersecurity program: That firewall needs to be updated; do you need a documented process? Should you send out an email to users that their login screen will look a little different? Is now a good time to change the architecture and move into the cloud?
The value of trusted advisors is that they are people that have done it before and bring experience to the table. They have already seen the bumps and potholes and help you anticipate and navigate around them. They have worked with organizations of all sizes and have multiple tools in their toolkit to help innovate, administer and coordinate your security program to fit your organization.
How do you choose a trusted advisor?
These are features of a trusted advisor that you should consider:
- Ability to utilize other subject matter experts. No single individual will have an unlimited skillset. Your Trusted Advisor should have resources available to them to help provide deep knowledge.
- They should be working in your best interests. While vendors have fantastic advisors for sizing and implementing their product, there may be some concern that a recommendation is likely to benefit their organization more than yours. For an advisor to be trusted, you should feel confident that their recommendations are based solely on your needs.
- Ability to learn about and understand your organization. Better than someone who can walk in and provide a roadmap for you on day one is someone who can step in and understand your organization first. You can't have a roadmap without a starting point.
- Sometimes you can be impressed with the depth and breadth of someone's experience, but you can't work with them on a personal level. They say that job interviews are primarily about ensuring you can work with someone. This is also true with your Trusted Advisor. And if you make a mistake, can you easily replace the trusted advisor with someone else rather than starting over from the beginning?
But can't I hire someone?
Sometimes, it depends.
Can your organization attract someone? With cybersecurity unemployment at record low levels, professionals can pick and choose where they work.
Do you require a full time employee or only someone to work a few hours a week?
Will you be able to support the time required for them to train and stray abreast of trends? How will they maintain insight into other organizations?
Will they come with their own network of subject matter experts?
Using a trusted advisor means that you can count on their organization to do all of the above in a pay-as-you-go model. You can choose what role of trusted advisor you need, and if your needs change, there is flexibility. However, in most cases, organizations choose a single trusted advisor to maintain institutional knowledge so that when someone specific needs to be brought in, you do not need to spend your time bringing them up to speed.