Pain is inevitable. Suffering is optional.
These words, spoken by the remarkable Sean Stephenson (who knows a thing or two about pain and suffering), have been resonating with me lately. We, as humans, are going to experience some kind of pain, but what we do not have to experience is suffering. And while some take this pain and learn from it, others let it needlessly linger.
In this sense, many companies in the cybersecurity industry have clients that depend on them to keep their businesses safe. While pain, even in these situations, is inevitable why are so many cybersecurity companies causing their clients to suffer needlessly by offering inferior products that do not fully protect their customers?
There are some big reasons for this and unfortunately, they often speak purely to the human condition. Fortunately, this issue is easily fixed. So, let’s explore why this is and how we can correct it.
Issue #1: Complacency
Cybersecurity, at its core, is an ever-evolving industry; the threat landscape can change in an instant. Products and concepts can go from being solidly secure methodology to irrelevant literally overnight.
I spend much of my time searching out and reading articles to keep up with the latest news and threats, not to mention being in the Dark Web constantly looking for the latest malware to identify which anti-virus scanners it’s able to bypass. It’s a never-ending process that causes me to rethink or retool cybersecurity solutions countless times over the years. This is the nature of the beast.
Unfortunately, at the small and medium-sized business level (and some large enterprises), most will not contract with a dedicated cybersecurity outfit and instead look to their local IT contractor for cybersecurity. Usually, these contractors have a focus on IT support and do not have the time or inclination to keep up with the constant homework required by pure cybersecurity outfits.
Or, they’ll recognize the need for a cybersecurity play and then rebrand their existing hardware and software offerings as a true cybersecurity solution. This usually results in a customer believing they’re more secure than they really are because they don’t know the differences between the best firewalls out there versus the average ones.
Nor should they — that’s their contractor’s job. Because he or she can speak the cybersecurity buzzwords, effectively answer the client’s questions, and are probably really good at normal IT support, they become the trusted cybersecurity solution when they shouldn’t.
Much of this falls into complacency. The IT contractor knows the technology they know and to invest in enterprise-level cybersecurity offerings is not worth the time and money when they believe that they already have an effective solution in place. This mindset results in thousands of businesses with major vulnerabilities. With over 60% of breaches happening at the SMB level this is a serious issue.
I have my favorite hardware and software solutions for cybersecurity. They’re currently the industry leaders and consistently producing excellent research and analysis. I love using them because I know my clients are safe and secure in a vastly superior way than 95% of the businesses out there.
If a new solution comes out tomorrow that is clearly ahead of anything I’m using, I’m moving onto evaluating it and switching; if it’s a very critical change, then I’m informing customers of the new possible direction. I cannot be married to any cybersecurity solution because they are not one size fits all and won’t be best for every client. This has to be the stance of any company advertising themselves as Cybersecurity experts. Sadly, it’s not the case.
Issue #2: Lack of Education
This dovetails with the complacency issue. I’m not talking about training on new and better solutions, though that is also an issue and should also happen. Rather, I’m talking about the investment in educating oneself and others about not only the latest threats out there but also about new methodologies and techniques to increase the defensive posture of their customers.
Recently, I was at a conference talking to a group of IT company owners and in this conversation I asked the question, “So, is anyone here using the Zero Trust model for their clients?”
None of them had any idea what that was. This normally wouldn’t be a problem (and I’m happy to educate anyone on the benefits of this network model). However, these were a group of people who are offering cybersecurity solutions to their clients and doing by adapting a cybersecurity solution into an existing network model they’re familiar and comfortable with.
It absolutely needs to be the other way around. In some cases, the wheel really does need to be reinvented. There are better ways to create and build an infrastructure that has cybersecurity in mind first and foremost. Any cybersecurity provider who cannot see the Forrester for the trees here has a serious issue, and if you don’t understand the joke I just made then you could very well be one of the people I’m trying to reach.
Issue #3: The Scarcity Mentality
This one really bugs me. This mentality can put some seriously nice people in some seriously bad positions. I believe that being in a service industry like IT or Cybersecurity is fairly akin to the Dating Game. To really be successful, both parties really have to be on the same page in terms of vision, solutions and process of execution.
I see so many IT and cybersecurity firms offering tiers of solutions to their customers as well as potential customers. If the customer can’t afford the top-tier defensive solution then a low to mid-grade option is offered. This is the worst possible thing a cybersecurity outfit can do for many reasons!
To begin, cybersecurity is a rather black-and-white industry in some aspects. A customer is either vulnerable to threats or they’re not. A top-tier solution ensures they’re not vulnerable in essentially all of the known ways threats can come into a network. Any less and the client is still vulnerable. The argument of “well, they’re less vulnerable” doesn’t fly with me. They’re STILL vulnerable!
Any company — once it has been to conveyed to them just how important a complete top-tier cybersecurity solution is to their defense and uptime, — that is unwilling to invest in their proper protection is a complete waste of time to me.
This may sound harsh, but it’s the truth. Those companies tend to lack direction and vision and can’t really see the big picture. Sadly, they then get catered to by IT companies that are either complacent, not educated or willing to sell weaker solutions just to gain a little more money each money.
This ultimately serves no one. When the ransomware bypasses their mid-range solution and locks the client out of the network, then the IT company has to defend themselves against the wrath of the client. I would rather have a hundred customers that see my vision than a thousand that I was able to get via a “bargain basement” mentality. They will be clients for life and I will grow as they grow.
So, Why Does All of This Bring Better Customers?
Honestly, this all comes down to mentality. If you’re meeting potential customers with a vast amount of knowledge and understanding of the latest threats and solutions out there, then you are going to attract and win those customers who share your mentality. You also have to be firm in your belief that your solution is literally the best this planet has to offer — and it better be — otherwise that will seriously come back to bite you.
You will never have to nickel-and-dime and ultimately those that you work with will make your life easier while you make theirs worry-free. These relationships are symbiotic, but to achieve these levels, one cannot fake it or cut corners. It takes time and effort but the payoffs are incalculable. Best of luck out there!
You Need To Find Your Sensitive Data to Protect It
Whether you’re a cybersecurity partner for your clients or an in-house infosec pro, you need to be able to discover dark — or lost — data. SmartFile is developing a new product to augment DLP and serve as a treasure map that helps you find your sensitive data.