Your Cybersecurity Options: Oak, Acorn, or Both?

As part of an internal research project we are surveying the public statements on cybersecurity from a variety of companies. We are assessing first how the marketplace typically describes cybersecurity to help us talking to executives in terms they already know. 

But people judge you by the company you keep, so we wanted to get a sense of whose descriptions matched our vision of how best to practice cybersecurity and whose descriptions did not.

This research project will result in an internal white paper and some external posts, of which this is one.

As a preliminary result, we have noticed two broad categories of approach: buy it or build it. Since we have a foot in both camps (we sell help to build it), we can see both sides. We are talking this opportunity to answer a frequently asked question: which approach is best for us? Buy or build? As is so often the case, the short answer is "it depends on who you are and why you are buying or building." So much for short answers. Here comes the long answer.

We call the buy option Oak and the build option Acorn not just to avoid "buy" and "build" but also to reinforce what we feel are the essential differences. The archetypal oak tree is large, mature, established and has stood the test of time. It is also inflexible and immobile. The archetypal acorn is small, and filled with potential. It is also in danger of becoming a meal instead of a tree.

So it is with the Oak and Acorn cybersecurity options. Oak gives you nearly instant access to a large menu of services and products, all of which have been tried by someone else. Oak also tends to have preset programs which are applied to you without much regard for your particular staff or situation. Acorn promises custom results but requires time, commitment and a leap of faith. Acorn tends to have a process, not a program, which process is used to help you build your own program.

Which is better for you, specifically? That depends on a number of factors:

• Do you need evidence of activity in a hurry, to reassure investors or partners? Oak.
• Do you need evidence of effective cybersecurity for reassurance? Acorn.
• Is your organization open to change, small or agile? Acorn if you have the time & bandwidth
  
• Is your organization large and lacking in flexibility? Oak is the way to go.
• Do you need security theater? Oak.
• Do you need to provably thwart threats and avoid vulnerabilities? Acorn.

When we refer to "security theater" above we are being neutral. Literally, security theater is any activity undertaken to give the appearance of greater security but which does not actually increase your security. Is security theater always bad? No; it is always a bit of sham but sometimes it must be done in order to get to real security. At Pythia Cyber we provide Real World Consulting. Sometimes in cybersecurity you need to do things which help create an environment in which you can get things done. Sometimes you need to set the stage. For example, sometimes investors or regulators or business partners need specific reassurance and what will reassure them won't make you safer. But in the real world we bow to requirements. If you can't get to the effective cybersecurity without a little theater first, then we are all in favor of a bit of theater. If you won't get the business or revenue you need without a bit of a show, then it is better to live to secure another day than try to insist on effective security first.

This real world approach is why we don't feel that your choices are binary here: Oak or Acorn. You might need Oak for the short-term and then Acorn for the long-term. You might have chosen Acorn, have an effective internal cybersecurity program, but be required by an acquisition or investment or IPO to layer on Oak. Do what you need to do, both to have effective cybersecurity but also to have a business.

This brings us back to two recurring themes here at Pythia Cyber. Theme 1 is that cybersecurity should be part of your business strategy, not merely an arcane IT function. Theme 2 is that there is Black Box cybersecurity (you don't know how it works) and White Box cybersecurity (you do know how it works). Generally, Oak is Black Box: convenient, pre-built, drop-in. Generally, Acorn is White Box: takes time and effort on your part, you have to help build it but it is tailored to your staff and your risks.

Be as strategic about cybersecurity as you are about sales, finance, marketing and staffing. You can figure out what makes the most sense for you in the short-term, the medium-term and the long-term. Pythia Cyber can help.