Does size really matter?
Updated: May 15, 2018
Goliath would probably come clean that size and might did not help him beat skill and determination. So why is it that our industry is still hung up on the mythology that "nobody ever got fired for hiring [insert big name here]"?
Australia is a nation of innovators (and disrupters) who are not afraid to challenge well established markets (anybody remember the Winged Keel).
It is only the last few years however that we have seen a mass exodus away from the attraction to a name, and towards a more convenient, customised and lower cost services model.
So why has this happened? Disillusion with failed projects and services from the monoliths?
Or is it a desire to access the real talent inside these organisations that have the creativity and innovation often stifled by a "welcome to the organisation, there is your cubicle, say hello to your 50 peers" approach?
Is it really a surprise that Clients have become tired of conversations such as "Thats not part of your service" or "We will have to allocate an account / project manager to develop an estimate (for a fee, of course)" or "You can only use product X, because that is what we support".
Remember the days when you could just pick up the phone and talk to someone who understood you and your organisation, was invested in helping you and could give you good advice, and did not have to navigate your way through an IVR.
The key question is "Does bigger mean a better outcome?"
Well, to define better will depend on a number of factors, Time, Cost and Quality are usually a good start, as is Customer Experience.
Is it better to have an army of generalists working on an outcome or a smaller team of specialists? The answer often comes down to a Client's priorities and specific objectives.
These objectives in security tend to be driven from an organisational desire to:
1) Overcome a specific technical or business challenge
2) Address a specific risk or counter a given threat
3) Meet a compliance obligation or responsibility
4) Provide a specific customer experience or support the vision of a brand
A recent conversation with a notable security leader reinforced the tremendous pressure that Security Leaders face to make their budget stretch as far as possible in managing the broadest amount of risk they can.
When asked whether 'Capture the Flag' style security engagements provided value, his response was that he was more interested in knowing where his exposures were vs whether one could be exploited, and that for him, simply demonstrating a single exposure did not really help him manage risk (although some of his peers had used such activities for political mileage or to prove a point).
With the high demand for security expertise, both models likely have their place. Most CxO's we speak with actually want to have an organisational relationship where both parties benefit from shared history, knowledge of each others strengths and weaknesses, but overall, can TRUST each other.
If you are a massive organisation perhaps you can afford to lose a client as a result of them not fitting your service. Whereas for a smaller, boutique cyber security service provider, every client is hard won and they will therefore (not unsurprisingly) work much harder to meet their clients need.
Size can sometimes impact on quality, assumptions get made within a larger organisation, communications between colleagues can be more cumbersome or complex, decisions get made by committee, lines of accountability get blurred and following a service issue or failed objective. Fewer decision makers and single points of accountability within boutiques can often get better outcomes.
Contact us to have a discussion about how we can provide you with a service which is tailored to fit your needs and founded on an ongoing relationship and customer experience.
Author: Clinton Smith