How I failed at business alignment

Lets talk about business alignment.?These words are banded around alot at the moment.?It sounds cool, and its music to executives ears, but what is actually meant by this??Is this some industry buzz word or fad thats going around?

In the context of cyber security, Its meant to mean that you're aligning the objectives of the business with the objectives of Security (yeah great Dave... you still haven't explained!).

Here is my story from way back before I joined Rapid7 when I tried creating a service that was cool to me, but was certainly not business aligned.?Its a story about an unsuccessful productisation of a cyber security service.

Why?

Well so that hopefully I can share what I learned then and how i do things differently now to help everyone! ??

(plays going back in time music)

At this time I had already been a solution architect for a few years and hand a significant background in networking and telecoms installations.?I had been studying security (pen-testing to be specific) for a while and was ready to offer these skills within some sort of service to customers.?I started with just doing a few small bits here and there with scanning and verification of expected controls in place, but i wanted more.

With cyber security becoming more talked about, it was on the radar of the directors and there was the potential to put something together to go to customers with.

I flirted with various cyber security vendors trying to find something cool to offer customers that would protect them and would sell.? At the time i still very much had the "silver bullet mentality", although i knew enough to know that not every bullet i looked at would be the silver one...?(Just for the benefit of there readers i feel it necessary for sake of clarity to state that there is never a silver bullet and that defence in depth is of utmost importance).

I got caught up in the marketing of one particular vendor, and their tech i thought was pretty cool.?An interface that looked cool like a game and lots of network related information which as a network engineer i loved.?This is the one!?This is going to sell!?I think its cool, and so will customers!

I pitched it to the business and they thought it was an interesting product.?It also had social proof as there were other competitors selling it, but ultimately it never went anywhere.

Why didn't this work?

Well firstly, the business I was in was from the telecoms background which had a very different commercial structure to how IT and Cyber Security was.?It meant that the commercials they were interested in was the MSSP structure, but the reality was that i hadn't finished my due diligence on how we would go to market and how we would support the product or deal with alerts.

The reality was that we had no one in the customer service team with cyber security skills who could tell a customer why an alert was triggered or what the alert was about.?This meant that being a MSSP wouldn't work for us.

In addition the majority of the enterprise sales team (enterprise customers being the types of customers likely to take a MSSP service) at the time didn't know anything about cyber security and so wouldn't be able to sell against true cyber security resellers or MSSP's or even help customers break down their cyber security challenges.

The go to market requirements were just too big and I hadn't thought about them enough.??

I also spoke to a few customers about the solution which we were able to demo, but no one was really that keen.??

Why??I didn't understand? This product was cool! ?It would help to secure their environment!? Why weren't they interested???

This leads me to the next problem.?I hadn't tried to understand the requirements of the target customer base around security.?This tool was for customers who had already embarked on their security journey or for established MSSP's to extend their service.?The enterprise customers were already talking to much more established resellers about this tool, and it would be very difficult to position ourselves as a competent MSSP against more established ones.??

I then set out to understand what customer base we could position ourselves to and what those customers wanted... was Cyber Essentials and Cyber Essentials Plus.

Why??because they needed it to sell their own services to their customers.

The great thing was that the go to market strategy on it was more straight forward.? We were able to put in place a standard pricing structure of the assessment for the sales team.? I could help with the more bespoke requirements as i understood the process, what it was and what they needed, and then we found ourselves a great partner to complete the assessments. I had the technical ability to validate the quality of reports provided as the differentiator of the sale was around the quality of the report - as there were many people selling a copy and paste vulnerability scan as a pen-test and not mapping to Cyber Essentials criteria.?The service we were offering did just what customers were after and they were very happy.

It wasn't the grand vision i had first had about a managed service, but it was our first venture into selling a cyber security service and it was a great success.

So, whats the lesson here??

To first understand the end goal for the business is to make money.? The customers goal for the base we could sell to (and so the target market) wasn't to have cool security tools and a managed service, it was to fulfil the compliance standard that enabled them to continue making money from their own customers.

Next to understand how that is accomplished through your idea.?The resources and expertise you have available will dictate the quality of your product or service and how fast you can get to market with it and the cost of going to market with it.?With the first idea there was no means to execute the idea from the resources available, which meant there would be a large upfront investment in personel to get a service up and running before you could sell to a customer.?I also had no evidence that we would be able to sell this - not event a warm customer asking if we had a MSSP service they could buy.? We would have been going in cold, and MSSP contracts and costs are significant for customers.?They usually happen organically from purchasing a combination of security services to begin with and working up to a managed service.

Creating the CE / CE+ audit certainly was a better go to market strategy.?As it was a basic transactional service it had less risk for the business, less risk for customers as these were one off engagements.?This meant the go to market strategy was more straight forward as we could achieve this with the resources we had.??

In essence, the scope was smaller and the service was simpler.?This made it easier to start, but most importantly the service was now aligned with the requirements of the customer base for us to sell the service and capabilities of the business to scale.??This was why the second product was a success.

This is what we are meaning by business alignment.

What else is great is that these same principles can be used when building an internal service for the business too.?

Translating to other offerings

Purchasing a SIEM doesn't mean you have a fully functioning SOC.? Purchasing vulnerability management doesn't mean the business is not vulnerable. ?Its important to keep in mind the end goal of what you are trying to achieve.? These are tools to help you, not the end goal itself.

This is why at Rapid7 you may have heard us talking about "Protection Level Agreements" when customers are looking to improve their vulnerability management.?

It forces the customer to say for example "can our team ensure 100% of the patch Tuesday vulnerabilities are remediated within 14 days?"

Perhaps for end user machines yes, but for servers??This would depend on how many windows servers there are, change control processes, how many team members there are to complete this work and much much more.?They may say "we can patch 80% of Non-Critical servers within 30 days and 100% in 90 days".?It means there is a clear definition of the service the stakeholders are purchasing.?If they want to improve the protection level agreement this will not always mean investing in more tools or employees but first having metrics to identify the bottlenecks e.g. if their ticketing solution shows that it takes more than 10 days to go through change control on critical servers and another 5 days to schedule the work then look at if there is anything that can be done to reduce this time without compromising quality?? Thinking in this way allows you to clearly identify the extent of the service you can offer the business and allows the business to decide if the service is fit for purpose or requires more investment.

For businesses who are starting to bring the security function in house and have a small team, or for IT MSP's wanting to offer their first MSSP service i will say now that vendor managed services are certainly your friend and should be investigated as a viable option.

Its been highlighted by many people on Linkedin over the last year that the "Skills Gap" doesn't exist for entry level roles as there are more candidates than job roles. The issue the industry currently has is the skills gap at the intermediate and expert level. These are hard roles to recruit for and they are expensive resources to have in place before you've sold a product.

Vendor managed services help to bridge that go to market skills gap

Allowing you to get to offer that service that your customers are already asking you to provide (because you're already giving them a great IT service and they trust you).??

In this instance you are aligning what your customers requirement is, the expertise you have / don't have yet and the service from the security vendor that you are using to fulfil their need.

Rapid7 offers several managed services based around our products - managed vulnerability management, and Managed detection and response to name two.??

Consultative Selling

For customers and potential customers I interact with; when they have an idea about a service they want to offer that incorporates our products, I always like to get them to take me through the business case, the target customers and the in house skills they have.?It then allows me to add in my advice and experience as well, which helps turn the sale into more of a consultative process.?To use an analogy, someone going to the hardware store to buy a spade.?They don't want a spade, they want a hole.?But why do they want a hole??Because they want to plant a Tree or put up a fence.?Why do they want a tree or fence??because they want privacy from their neighbours.?After understanding the root cause for their desire to purchase a spade you are able to suggest other solutions to get to the same result (a spade still might be the best one for their budget after this discovery, but you may discover that theyre more happy to pay someone to put a fence up for them).?Understanding the true root of the requirement that the service is needed to?fulfil is essential.?Keep asking Why until you get there!

To Conclude?

To try and summarise some of the key lessons I learned and this article is difficult, but here is my attempt at it (that im sure will be refined as the years go on):

Dont try and "boil the ocean".?Start small, make sure its aligned with what the customer or stake holder needs, and what your internal expertise and resources can deliver - if you cant deliver then look to out source whilst you skill up.?Prove it works and then you can expand.?Always keep going back to the question - what is the end goal for us, what is the end goal for our stake holders or customers??Even after the service is implemented ask "is this still aligned?".??

I hope this article has sparked some ideas and given some more insight into what we are talking about when we say to "align security with the business objectives".

If you like it please share or feel free to engage in the comments :-D