5 Ways to Stop Scaring Enterprises About Security
Get Set! Go! Your enterprise customer is racing in Formula 1, speeding at 370 km/h (230mph) the lead to win new business, increase profits, boost innovation, and take home the trophy. We as an industry are our customer’s pit crew: Doing everything to help him win, including fueling the car, changing tyres, finding and repairing faults, offering strategic advisories, giving intel on competitors, issuing tips about taking that treacherous Turn 3.
Our customer has a goal: To win. We have a goal to help our customer win, but also win safely for himself, the other drivers and the spectators. To be in compliance with Formula 1 rules. Those of us in the cybersecurity industry, including vendors and managed service providers, obviously place safety at the top of our list. But that doesn’t mean scaring the living daylights out of our customers, making them afraid to try anything new because it might be risky.
Instead, we must help them win their race by quietly making sure their safety gear is installed correctly. What we need is for the customer focus on the driving, trusting that if he drives properly, he will be safe.
In today’s IT environment, just as on the Formula 1 racetrack, there are certainly security concerns that must be addressed with 24x7 readiness, measures to attempt to prevent breaches and data exfiltration – and constant awareness to detect and respond to emerging threats, zero-days, unpatched vulnerabilities, and active cyberattacks.
There are five lessons that we in the cybersecurity industry can learn from Formula 1 and other professional racing teams. We need to learn those lessons and, let’s be honest, start to apply them. We must be more active in trying to help customers win… and we should stop trying to sell more products and services by hyping fear. Enable. Empower. Don’t scare.
Formula 1 Lesson #1: Show that it’s an ecosystem. Safety depends on selecting the right part, and every part working properly. In IT, we need to know not only what security tools are in place, but also the assets that must be protected, whether its intellectual property; digital access credentials; regulated information about privacy, finances and health; or customer-facing websites. Some information must be protected to the ultimate extent possible (just like Formula 1 teams focus most on protecting the driver). Some information is less critical and doesn’t need the same security investment. In order to help your customer, help him judge the appropriate safety measures for each system, so that he’s not overspending and overcomplicating his systems, and thereby reducing flexibility and agility.
Formula 1 Lesson #2: Empower to detect and respond. Security isn’t only about protection. On the racetrack, hazardous situations happen all the time, whether it’s an equipment malfunction, weather, or an accident further down the track. The driver’s job: detect and respond to those hazards – helped by his crew. In the enterprise, we can load our customer with firewalls and antivirus solutions… but bad things are still going to happen, whether its ransomware or a DDoS attack or insider theft. We need to equip the customer with the ability to quickly detect and effectively respond to those incidents, or if we are a managed security provider, offer that 24x7 monitoring and response service. Incidents happen. Make sure your customer is prepared.
Formula 1 Lesson #3: Demonstrate that bigger is better. In racing, a bigger team has resources that simply aren’t available to smaller teams, ranging from more advanced technology, better driver training, and more experienced crews. The same is true with security providers: A larger managed service provider can offer more extensive services than smaller providers, with a larger staff, internal training and professional career advancement, research and development, and the ability to leverage expertise gained by protecting more clients.
Formula 1 Lesson #4: Explain that problems are often caused by human error. The race car can have the best tyres and excellent track intelligence, but if the driver is distracted and misses the optimal racing line on a hairpin turn, that means falling behind, or maybe causing a crash. Likewise, many IT problems, especially security issues, are caused by human failure. Failure to update default passwords, failure to update vulnerable software, failure to delete the spearphishing email, failure to hang up on the fake call from “human resources” asking for the employee’s login and password. We in the security industry have a responsibility to do our best to advise and train, and suggest technological fixes when necessary. We can’t promise to absolutely 100% prevent breaches enabled by human failure, but with the right input to our customers we can minimize the numbers.
Formula 1 Lesson #5: Provide strategy as well as technology. In Formula 1 and other professional race programs, the vendors do more than supply vehicles to the drivers. They are closely involved with the teams and driver at every level, from design to preparing to the race day itself. In the cybersecurity industry, we have to get closer to our customers and prospective customers. We must understand their goals, business model and assets, so that we can provide the best possible advice and guidance, helping them build an IT strategy and security profile that balances the best protection against their requirements for agility and budget. We must become trusted advisors – not mere vendors or service providers.
In the cybersecurity industry, software vendors and managed service providers win when our customers win. We don’t win because we made a sale or sold a subscription. We don’t win because we blocked a zero-day or discovered a new vulnerability. Ultimately, our customers are hiring us to help them stay safe while they focus on winning the race.