โDonโt you have a snowblower? Why are you shoveling?โ asked my friend, Larry. The answer, as I explained to him, is a little bit complicatedโฆ
We lived in our previous house for 11 years. It was a great place, exceptโฆ when it snowed.
Thatโs because our long, straight driveway sloped down towards the garage. Plus, it had four-foot-high retaining walls on either side.
Which meant that whenever it snowed heavily, I had to be certain the pavement was super-clean, or else there was no getting up that snow-packed driveway. Plus, thanks to the retaining walls, tossing a foot (or two) of snow up and over with a shovel was really hard work.
So when we bought that house, I immediately got a snowblower. Problem solved.
We moved into our current house three winters ago. Here, our driveway situation could not be more different: The slope runs away from the house and there are no retaining walls.
Now when it snows, not only is shoveling perfection no longer a requirement, but pushing it off to either side has become an easy and obvious option.
And the snowblower? Well, these days, itโs a solution in search of a problem โ I have not used it since we moved in. All it does now is take up space in the garage.
A Changing Use Case
One of our clients had a full-time CISO, a self-managed security operations center (SOC), and a dedicated in-house security team of eight. But when business slowed and they downsized, the team was let go and the SOC was outsourced to a third party.
At that point, and while it didnโt occur to them initially, many of the systems and tools they still had in place were no longer necessary. In other words, they had a โsnowblower in the garageโ that was not being used.
We see this kind of thing often. Companies make intelligent, well-considered decisions regarding their cybersecurity. But when things change โ whether due to new internal priorities or evolving external threats โ they continue operating as before, often expending resources unnecessarily.
Sometimes, the risk environment itself is no longer the same. A company with an important client in a high-security industry (government, financial, etc.) may have been required to implement strict web filtering protocols that limit remote access for its employees. But if that client leaves, continuing to optimize for risk rather than ease of business may negatively impacting productivity โ with no offsetting benefit.
Other times, the solutions themselves age out. For example, if a vulnerability scanner no longer provides up-to-date information or delivers findings that are redundant with other, newer solutions, it may waste resources by flooding security teams with noise.
Whatโs the โRightโ Answer?
As in often the case with business resource decisions, โit depends.โ What works best for one company โ at one point in time and under one set of conditions โ wonโt be right for another company or a different time.
So do your best to not just make the right decision now; commit to continually reevaluating. Periodically take a look with fresh eyes at what you are doing. If things have changed, modify as needed. Otherwise, you may end up spending time, money, and human resources preparing for problems that no longer exist.
In the meantime, if you know of anyone who could use a well cared for โ but not recently used โ snowblower, please send them my way!
Want to get great cybersecurity content delivered to your inbox?ย Click hereย to sign up for our monthly newsletter, Tales from the Click.
