For a Successful Security Roll-out, Mirror Existing Processes–Don’t Reinvent Them

Security vendors love to characterize their offerings as “disruptive.” The word is descriptive and sometimes appropriate, even if critics claim the term should have been retired long ago, and some profess to hate the notion of disruption “with the heat of a thousand ghost peppers.”  

Harsh, but I get it.

The reality is that disruption as a concept is enticing to software vendors–who doesn’t want to shake up the status quo?–but the notion of disrupting established processes and workflows often elicits quite the opposite reaction from customers. In fact, six out of 10 executives view digital disruption as a threat rather than an opportunity. 

So for a security solution roll-out to be successful, it’s vital to acknowledge this reality going in. Vendors think disruption is awesome. (After all, they’re the ones causing it.) But introducing new systems into the workplace is often viewed by overworked employees as yet another thing they have to learn, even if learning that new thing will save them time and trouble. (Think of it as the workplace version of what marketing pundits call inertia loyalty–an ultimately hollow but very real kind of brand loyalty that keeps folks sticking with their current mobile carrier or lawn service even when there is plenty to dislike about them.) 

Less disruption, more success

To make your particular flavor of disruption a little less disruptive to customers, I recommend you consider these best practices.

Meet people where they are, not where you want them to be. A successful roll-out is a series of refinements and optimizations, not a wholesale reinvention of the way the customer is doing things now. It’s almost always a series of small steps vs. a giant leap. This is key to ensure your new system works within established workflows. In the vulnerability management realm, that means continuing to use as many currently deployed tools as possible (such as scanners, configuration management database, automated asset discovery tools) so stakeholders see this isn’t a rip-and-replace situation. It also means preserving existing work relationships, which brings me to my next point.

Honor existing relationships. It’s hard to place a value on productive workplace relationships. They’re so vital, in fact, that nearly nine out of 10 workers say an inability to collaborate leads to failure. And when a new system rolls into an environment that shatters efficient, collaborative working relationships, workers naturally tend to be resentful and uncooperative. So you’ll want to be sure to identify those relationships early on and be careful to preserve them. Within vulnerability management, the security team may continue to drive vuln analysis and prioritization, but it will still fall on IT and AppDev to handle remediation. The good news is that state-of-the-art vulnerability management solutions make all this much easier. At Kenna Security (now part of Cisco), we prioritize vulnerabilities by the relative risk they pose to a specific organization, and we use risk scores, risk meters and dashboards to communicate that risk in a way anyone can understand. We find this makes it simple for anyone in the vulnerability management workflow to to know precisely what’s a priority and what isn’t. (It also reduces the friction that often exists between security and IT.) In fact, we’ve seen remediation teams compete with one another to see who can lower their risk scores the most. 

Enhance what you already have. Earlier I mentioned keeping many of the tools people already rely on to lessen the blow of introducing something new to the environment. Related to that is doing what you can to get more value from those existing tools. If your new security solution incorporates a robust API, then the customer can use it to automate previously manual processes or simplify how your new solution works those other tools they’re working with. Our API Evangelist, Rick Ehrhart, details different ways Kenna customers can get more from their vulnerability management environment in his monthly API Guy blog.

Win over skeptics with cold, hard data. Your internal advocate may be gung-ho on rolling out your solution, but in a typical enterprise, that advocate has dozens, possibly hundreds of less-than-enthusiastic gatekeepers to win over to your side. So it’s up to you to equip them with easily digested information that will help hesitant stakeholders to see what’s possible on the other side. While cost savings typically resonate with managers but less so with rank-and-file workers–employees often believe cost-saving measures come at their expense–there’s one benefit that’s always worth mentioning to anyone within earshot: Time savings. You can point to your own time savings data, of course, though we’ve found third-party data seems to engage skeptical audiences more effectively. For instance, in a TechValidate survey of 135 Kenna Security customers, 55% of organizations said they reduced the time they spent on vulnerability investigation by more than 50%. Another 44% cut their remediation time in half. And over three quarters reduced time spent on vulnerability reporting by at least 25%. That’s the kind of disruption anyone can get behind.

Learn more. To dig deeper, I recommend this excellent webinar hosted by Kenna co-founder Ed Bellis and featuring Rick McNulty, a security veteran in both private and military environments who shares his own first-hand best practices for implementation. It’s focused on a risk-based vulnerability management roll-out, but much of what Rick shares will apply to any security solution.

A successful implementation involves a lot of steps, though preserving what works in the current environment will help the chances that your roll-out will hit its mark. If you can make your solution as recognizable to stakeholders as possible, they’re more likely to view your product as a positive addition to their work environment. Disruption may be inevitable, but it doesn’t have to be painful.