Modern businesses depend significantly on technology; thus, it is critical to ensure that their business processes and data are resilient to potential threats. Depending on the business scale, they may only sometimes have the in-house expertise to deal with the technical debt that the business has for various reasons. Bringing in external advisors can bring a fresh set of eyes, a new way to approach the problem, and not have the political baggage and pressure of company stakeholders. Throughout my career, whether as an internal or external consultant, a manager coaching a stakeholder, or mentoring a stakeholder, I have used a framework of Discovery, Solution, Network, and Execution.
Discovery:
As an external advisor, one of the first things I focus on during any engagement is discovery and understanding the environment. During this phase, I focus on understanding the business environment, the technology that supports critical businesses, and the resources available to address business challenges and the changing threat environment.
The silo nature of operations in many businesses often limits their technical resources from understanding the business and technology operations outside of their department. Solio-ization of environments can cause implementation and roadmap disconnects between systems, services, and department collaboration. These disconnects can lead to increased system incompatibilities, vulnerabilities, compliance issues, and financial costs to the organization.
While the organization’s resources focus on supporting and maintaining their systems, they often end up with blinders, concentrating only on the technologies needed to keep systems running so that they don't keep up with the changing technological and threat landscape. The team focuses on what they have and keeps it running smoothly. This mentality is focused on “keeping the lights on” vs. using a continuous improvement or innovation approach to system maintenance. The outcome is that they often end up supporting outdated legacy systems that might be outside of their support life cycle and unpatched vulnerabilities by application developers, causing an assortment of organization defense strategies to be put in place to keep them secured.
While the organization focuses on the business processes that generate revenue, support centers like Information Technology and Security teams are often considered operational cost centers. This results in departmental resources not getting the necessary resources and training, and they can not invest in opportunities to improve and continuously provide optimal support and solutions.
All these drawbacks often increases financial, compliance, and operational risk exposure. With the continuous evolution and changes in the technology and threat landscape, threat actors attack using ransomware, data theft, data exposure, andmore recently, even the threat of regulatory reporting of exposures. This threat landscape means that organizations are potentially exposed to financial losses, tarnishing their reputation and consumer trust, and increased regulatory and legal pressures for non-compliance.
During this phase, we will often formally or informally perform some sort of assessment to understand where the business currently stands concerning where it desires to be, whether that is due to regulatory requirements, contractual requirements from clients, or a desire to set the gold standard within the industry for reputational desires. It will also be essential to understand any organizational landmines or history that caused them to get there in the first place, like cultural barriers, financial constraints, and other potential roadblocks that can affect the future of the project or program.
Solutioning:
After observing, interviewing, and assessing the operational and organizational environment, it’s time to start considering solutions to help the business achieve its goals and mission. During this phase, an external cybersecurity advisor can use the fact that they have consulted with multiple organizations at varying states of maturity and industries to bring in best practices, innovative solutions, and creative ways to address business challenges by not having the tunnel vision of organizational resources.
External advisors often have to spin up new technologies to tackle their clients' business problems, forcing them to be open-minded, adaptive, and continuously learning and experimenting with new solutions or implementations. This diverse experience allows them to collaborate with internal and external resources, getting advice, recommendations, and specifications to develop ideal solutions. Their expertise also allows them to see what works from best practices and legal and regulatory requirements to process improvements to ensure your company remains competitive and profitable.
External advisors often research and experiment in developing the envisioned solutions' architecture, design, and requirements. Frequently, they will present clients with multiple solutions from the art of the possible, minimalistic, and recommended solutions. Providing a range of options to executive leadership enables them to offer a more unbiased opinion untainted by previous organizational restrictions. Sometimes, project stakeholders will even hire external advisors, knowing that their ideas might have more traction and business priority vs an internal project implementation and budget request.
Networking:
While stakeholder endorsement and buy-in are needed to bring in outside resources, this often needs to be reinforced once they have begun understanding environmental gaps from the discovery and assessment stage. Constant communication is critical and includes information about the findings, opportunities for investment/improvement, and the required effort to remediate or implement the necessary solutions so that there are no surprises to executive leadership. While there might not be political pressure on the external advisors, it does not mean they do not need to overcome embedded fiefdoms within the organization.
During this phase, external advisors can bring in additional expertise in product or technology domains to present the art of the possible, their findings, and recommendations for the organization. Advisors usually end up networking with various stakeholders to share the value of the proposed solutions, ensuring that they do not negatively impact other departments, and negotiating specifics about the implementation with project and business stakeholders. An outside perspective like this is usually another value added when using external advisors; with their experience and industry knowledge, stakeholders are more willing to adapt to recommended changes and modifications for improvements, even if they have been suggested before and passed over by internal stakeholders.
Execution:
External advisors often reap the most value for the organization during execution. Most advisors have executed projects like the one you need or similar ones, so they have experience proactively identifying projects, risks, and opportunities based on their extensive history. Use their expertise to smooth the transition from project execution to daily operations. Ensure that your team learns from them during the execution phase to absorb their knowledge and support the delivery in the long run.
You also want to ensure that you not only use these external advisors for the execution of the project but also to ensure that there is knowledge transfer during the execution of your project so that your stakeholders can support it in the long run. You should aim to get technical implementation steps, technical dependencies, mapped processes, and data flows in/out of the application or process (if applicable), as well as run-books for if something goes wrong in the future where are the places your team should check to get this back on track.
