Taking a process-led approach to your cyber technology deployments is critical to your organization’s ability to reduce risk. Too often, organizations focus on solution features and not on driving the appropriate security outcomes.
When making an investment in a cybersecurity solution, or really any IT solution for that matter, you are looking for just that – a solution to a problem. Too often we get hung up on this feature or that function. The reality is you have a business problem and are looking for a solution to solve said business problem.
Successfully deploying the solution is as critical as selecting the right solution to address your problem. Oftentimes, software solutions are deployed using a technology-led approach. A technology-led approach to deployment typically jumps right into installation (on premises) or configuration (SaaS) for the technology of choice. This is a natural approach for technologists, as it gets them to their new set of features or functions most quickly.
The Standish Group Chaos Report finds only 29% of IT project implementations are successful, and 19% are considered failures. A technology-led approach to deployment oftentimes can significantly reduce the value realized from the investment in the technology solution. Most technology investments result in the transition from a current state to a new state. Your current state can be very manual, a homegrown solution, or an off-the-shelf application you are looking to upgrade. These processes have likely been tuned and optimized to support your current technology stack.
Why process matters
All technologies are different. Even if your new solution is delivering similar capabilities to your current technology stack, there are likely differences in how they go about delivering those capabilities. Usually, there are also new capabilities you would like to deploy. These new capabilities might not even be considered in your current processes.
Cyber Exposure is an emerging discipline focused on managing and measuring your modern attack surface to accurately understand and reduce your cyber risk. The discipline of Cyber Exposure requires us to look at this critical business problem and the supporting solutions through a different lens. Cyber Exposure is fundamentally changing core security processes by providing a broader coverage of assets while providing rich information necessary to prioritize where resources should be focused. Process transformation is critical in order to fully achieve this goal.
The value of a process-led approach
A process-led approach to deployment starts with a discussion about business and security objectives and the supporting processes necessary to achieve those objectives. Tenable Professional Services is defining a point of view regarding the common cybersecurity processes our solutions enable. These processes include asset discovery, vulnerability management, and configuration management. Early in the deployment process, we have a discussion with clients about these key processes. The objective is to arrive at a process definition that achieves the client’s business and security objectives while fully utilizing the capabilities of the technology. These process points of view provide a framework for facilitating this discussion. The result is a process-led versus technology-led approach to deployment.
The best advice I can give someone deploying a new technology is to first clarify your business and security objectives. These objectives should serve as a North Star for decision making. Take the opportunity to review your processes and procedures in the context of the new solution. Seek to understand the full breadth of capabilities of your new solution. Adjust your processes to maximize these capabilities. Only then are you ready to install and / or configure the technology. This will give you the best opportunity to maximize the realized value of your investment.
- Consider a workshop: Advisory Workshop for Cyber Exposure Planning
- Download the eBook: How to Prioritize Cybersecurity Risks: A Guide for CISOs