Is it really best to be on the leading edge?
Or is it better to be a fast follower? (Note: If that's your strategy, make sure you really are fast.)
This is an age-old strategy question relevant to companies in a wide array of markets. And it's equally relevant to security professionals, in the contexts of both their organizations and their own careers.
Let's define leading-edge security pros as those who try relatively untested ideas, tools, approaches.
On the plus side, this strategy may provide your company with a competitive advantage in your industry. It can give you a better ability to work with your vendors to help shape products and services that meet your specific needs and priorities. It may offer you more creative and stimulating work, and the ability to retain creative staffers.
The obvious downside of a leading-edge approach is that you will spend time and money on ideas that don't pan out. You and your ideas are an easy target for criticism, and that criticism won't always be unwarranted. Some of your ideas may be simply wrong.
So leading-edgers tend to get either the glory or the pink slip.
Being a follower doesn't sound glamorous, but it's a legitimate business strategy. Fast followers take fewer risks; by copying ideas tested and refined elsewhere, they have fewer failures. Obviously the downside is that by definition, they will never be ahead of the competition. And in security, 'the competition' includes criminal adversaries.
In choosing your own approach, you have to decide two things:
One, are you confident enough in your new ideas to bet the farm?
And two, does your risk appetite match that of your organization?
While most of us make those decisions based on our individual situations, there is also a macro question to be addressed. Namely, without risk-takers, how can the entire profession move forward?
This question--whether to be on the leading edge or hang back as a fast follower--is significant to me in my job, as I set the editorial strategies for CSO magazine and CSOonline.com (and those strategies are closely related but not the same). Should we simply publish security news and product announcements? You can make a profitable business that way, and some do. Or should we aspire to something more? Personally, I think reactive security coverage is important, but ultimately it doesn't move the profession forward.
To keep up with the rapid evolution in the attack space, I think the defenders need to continually examine new strategic ideas, processes and organizational models.
I hope you find that CSO contributes to that process. Over the years I believe we have:
In 2002 we launched with the notion that security leadership was maturing and had to mature, and become fluent in the language and style of corporate leadership. Many businesses aren't moved by the argument "it's the right thing to do." Better persuasion techniques were required.
We wrote extensively about SCADA systems security in 2004 (and several folks wrote in to assure us this was pointless fearmongering).
We examined the commonalities and synergies between physical and digital security in our very first issue, tracing this discussion through convergence and on to enterprise risk management. By 2005 we had stopped saying "you really ought to work together" and moved on to discussing HOW--in areas including
and so on.
If you're reading publications that are just now writing about how IT/physical confluence leads to big turf wars, you're consuming information so far behind the curve it's laughable.
But now the big secret.
How do we stay on the bleeding edge? Why it's you, of course.
We sprinkle in our own perspective and analysis, but the basis of CSO is the invaluable experience and input of real security leaders on the front lines. Finding the forward thinkers and giving their ideas a stage.
(So maybe we're just fast followers after all.)
This story, "Leader Or Fast Follower?" was originally published by CSO.