Leader Or Fast Follower?
Is it really best to be on the leading edge?
Fri, September 30, 2011
CSO — Is it really best to be on the leading edge?
Or is it better to be a fast follower? (Note: If that's your strategy, make sure you really are fast.)
This is an age-old strategy question relevant to companies in a wide array of markets. And it's equally relevant to security professionals, in the contexts of both their organizations and their own careers.
Let's define leading-edge security pros as those who try relatively untested ideas, tools, approaches.
On the plus side, this strategy may provide your company with a competitive advantage in your industry. It can give you a better ability to work with your vendors to help shape products and services that meet your specific needs and priorities. It may offer you more creative and stimulating work, and the ability to retain creative staffers.
The obvious downside of a leading-edge approach is that you will spend time and money on ideas that don't pan out. You and your ideas are an easy target for criticism, and that criticism won't always be unwarranted. Some of your ideas may be simply wrong.
So leading-edgers tend to get either the glory or the pink slip.
Being a follower doesn't sound glamorous, but it's a legitimate business strategy. Fast followers take fewer risks; by copying ideas tested and refined elsewhere, they have fewer failures. Obviously the downside is that by definition, they will never be ahead of the competition. And in security, 'the competition' includes criminal adversaries.
In choosing your own approach, you have to decide two things:
One, are you confident enough in your new ideas to bet the farm?
And two, does your risk appetite match that of your organization?
While most of us make those decisions based on our individual situations, there is also a macro question to be addressed. Namely, without risk-takers, how can the entire profession move forward?
This question--whether to be on the leading edge or hang back as a fast follower--is significant to me in my job, as I set the editorial strategies for CSO magazine and CSOonline.com (and those strategies are closely related but not the same). Should we simply publish security news and product announcements? You can make a profitable business that way, and some do. Or should we aspire to something more? Personally, I think reactive security coverage is important, but ultimately it doesn't move the profession forward.
To keep up with the rapid evolution in the attack space, I think the defenders need to continually examine new strategic ideas, processes and organizational models.