We live in an interesting time. Technological capability is high and irrespective of how we feel about Chat GPT, the fact that it is challenging our thinking and the way we work demonstrates how the art of the possible is becoming widely accessible to individuals and organizations. On the other hand, the IMF and Institute of International Finance project global economic growth uncertainty in 2023 and the World Economic Forum highlighted challenges in its 2023 Global Risks Report that technology alone will not solve, including energy and food supply crises.
Individuals and organizations are increasing scrutiny on discretionary spend. While individuals who have the privilege to have this problem can adjust spend quickly, organizations must continue to spend to protect their market share and remain relevant for when consumers are ready to buy again. Underpinning both sides of this equation is a need to remain secure, a risk that executives have included in their top risks for 2023.
The CISO response
On the upside, technological advances have permeated the cybersecurity industry to the point where Chief Information Security Officers (CISOs) and their teams have been spoiled for choice in terms of tooling. A diverse toolset has emerged in many organizations but just as most teams have operationalized their core capabilities, the pendulum is swinging back, via a top-down push from CIOs, to simplify architecture.
During this time, Microsoft has invested billions in its security products and is increasing its investment significantly in the next five years. According to a number of analysts, Microsoft now boasts a suite of ‘best of breed’ products and is focused on further integration across the suite and on making costs simpler and more predictable for customers. Because of this and the associated gain in market share and the CIO push for simplification, even skeptical CISOs are using Microsoft’s E5 security suite as a reference architecture for its toolset.
Microsoft – riding the (bumpy) wave
Alas, even where sponsorship for this change is strong, it isn’t easy. Few organizations are starting from scratch and the ‘brownfield,’ or existing, toolset adds significant complexity – technologically and commercially.
Contextual continuity – Organizations have always had to balance security and usability. Practically, one thing that has resulted is organizations’ pre-configured approvals of tool ‘bypasses.’ While we need to accept that new and/or improved capability can rightly disrupt business, overlooking this consideration during migrations can cause a lot of noise. Taking the time to understand how pre-existing, or brownfield, tools have been tailored for organizations and phasing deployments where target environments are diverse, are vital steps in managing deployment risk.
Deep dependencies – Modern security tools need to interact with other tools across the cyber and broader technology toolset to gain intelligence (from data) and help automate and assist investigation, resolution and response to cyber threats. These integrations pose some of the most complex challenges to project teams, not only because of the different technical methods involved but also because these tools are often managed by a variety of teams, including those outside of the CISO’s direct influence. Strong structural governance helps but genuine, collaborative relationships with the individuals involved are always more beneficial.
Commercial complication – This brownfield and target capability has a significant cost associated with it – for licensing, implementing and operating. While the Microsoft tool license negotiation is notoriously intense, implementation teams will also be faced with pressure to reduce legacy costs, for example by ending subscriptions of existing tools. While the cost savings associated with migrating from legacy is important, doing this too fast can cause a disparately high risk of suffering a security incident.
Implementation can be costly. When contemplating implementation partners, consider what is genuinely needed. If it’s Microsoft product skills, it may be possible to get what is needed support directly from Microsoft. If a diverse brownfield environment exists or organizational change is expected to be a hurdle, a partner with a breadth and depth of experience will likely make more sense. While this will add cost, it does add assurance to any software investment. It’s also worth noting that, Microsoft may invest in an organization’s success via its implementation partners. While this is subject to . . . well . . . a lot. Many organizations are unaware these investment funds opportunities exist.
Shifts in operational costs are often overlooked during project planning. While we see genuine opportunities to reduce costs through simplification, it is also important to note that as visibility of threats increases, people and processes are needed to respond to them. A Security Operations Centre may be able to absorb this responsibility, but they are also under regular pressure from other departments to add use cases into their service and this will increase as those departments come under their own cost pressure.
Finding the balance
In our experience, a key underlying challenge in any cybersecurity implementation project is to balance cyber, project and deployment risk. Cybersecurity is the obvious priority but if deployment-related incidents arise or milestones are consistently missed, project teams can lose the goodwill of stakeholders while exposure to cyber incidents increases. Protiviti’s team of Microsoft MVPs, commercial, technical and business change specialists can help organizations navigate and overcome this inherent complexity, from definition through delivery and in responding operationally to the additional insights a deployment will provide.
Gagan Arora, Director and Antonio Maio, Managing Director, also contributed to this post.
To learn more about our Microsoft consulting solutions, contact us.