Better, Cheaper, Faster -- Can Your Cybersecurity Consultants Give You All Three?

The long-running joke in consulting is that there is better, cheaper, and faster -- pick two. 

I admit that I have muttered this same line in my consulting career. All consultants know that clients at times try to get more than what is specified in the contract -- sometimes unintentionally by for example not understanding the contract. Sometimes clients intentionally try to get more than bargained for, faster, or for less; unfortunatley that puts everyone in Alice's Wonderland.

The Internet and television dramas, especially medical dramas, have exacerbated this problem. People believe that they can expect delivery overnight and that executing a project or getting results happens before the commercial break, certainly by the end of the two-part episode. We also all understand that this is not reality. But believing things that are not real are in fact real is a human thing, also known as a cognitive bias.

Cybersecurity requires better, cheaper, and faster. But wait you say, we just established that consultants scoff at those of us needing all three. Therein lies the tension in cybersecurity that we at Pythia Cybersecurity address.

Better, cheaper, and faster imply comparisons: compared to what? Let's discuss.

Better cybersecurity

The Reverend Billy Graham was once asked which translation of the Bible was best. His answer was: whichever one you'll read. The same sentiment is true regarding following diets. And yes, the same is true of cybersecurity protocols. 

You cannot buy your way to better cybersecurity. Spending more money on "the best" cybersecurity won't give you "the most" cybersecurity. 

Better cybersecurity is a risk management process that requires careful adherence to the best cybersecurity models over a period of time. See our blog posts about this process.

Faster cybersecurity

Tensions arising between clients and consultants usually involve time to complete projects because businesses need to execute faster than what the contract specifies. In cybersecurity, one might think that buying a service will be the answer to "faster" because it's already on the Internet.

The "faster" cybersecurity-as-a-service model is, well, faster to activate than boring old process-based cybersecurity. But it won't stop insider threats -- completely different though mutually informative threat models -- and it might make employees less likely to take cybersecurity seriously. You might ask how much less seriously they can take it given that mandatory annual cybersecurity training doesn't work but inattention to cybersecurity can lead to employee behavioral issues.

Are you really sure that "faster" cybersecurity is better cybersecurity?

Cheaper cybersecurity

Do you know how much you spend now on cybersecurity? Not what your IT budget is; what is your cybersecurity spend, which is presumably part of your IT budget.

The really bad news is that artificial intelligence (AI) agents are getting better and cheaper, but your cybersecurity is not getting cheaper, thereby creating an asymmetrical escalation on your part to counter increasingly sophisticated threats. 

As a leader or investor or IT professional, you must take time to understand what you're defending, why, and what that will require. Not all cybercrime is the same. Not all assets are equally valuable. You must choose, because you cannot spend endlessly on cybersecurity.

Only once you have chosen what and why can you choose how and how much to spend on cybersecurity. You may find that some parts of the cybersecurity process are cheaper, and some more expensive. 

The biggest barrier you will face in seeking to improve your cybersecurity is this: you need a different mindset for cybersecurity than when you seek other better, cheaper, and faster business processes. 

Be different. Ask us how you can cybersecurity better, faster, and for cheaper.