Cybersecurity capability set up are not merely Information Technology (IT) rollouts. Hence, benefits realization doesn’t happen with just the Technology set-up. The equally important and in many cases even more critical is the operationalization of technology delivery to ensure that the project objectives are fully achieved.
Many times, Technology product vendor demos may seem that roll out of security tools is very straightforward. But benefits realization gets stuck in the post-implementation operationalization unless this is well thought through from day one of the project kick-offs. Nothing wrong with getting demos, but they provide a simplified view of the Technology product capability. The demos are often good to understand basic functionality as well as to compare different product features. But, these demos will not provide an overall impact on the upstream as well as downstream processes. When seeing the product in silos it might look fantastic, but when we try fitting the product in the overall ecology, we will come to know the overall impact. While this could be true for any technology rollouts, this is even more prominent in the security space.
Key reasons why operationalization is not easy and hence needs special attention:
Lack of stakeholder involvement from the beginning: Implementations focus on technicalities of Technology setup rather than having end to end set-up view including business and process aspects. Hence, implementation teams fail to engage all stakeholders, especially the business side from the beginning. When stakeholders are approached in the end, they are taken aback. Stakeholder consensus will need time and effort upfront. However, this is a must-have investment to ensure capturing of overall stakeholder need. Poor stakeholder engagement is surely a recipe for failure irrespective of investment size or the kind of expensive product we would have procured.
Legacy cases not taken into account: Unless you are a startup, every organization has some or the other legacy technology that needs special attention. It could be legacy IT, processes, or data. If the technology implementation doesn’t capture the legacy scenarios, these become blockers during the operationalization process. Sometimes our implicit assumption is that the legacy technologies are edge cases and thus will be descoped. This will turn out to be a nightmare at the time of operationalization unless impact analysis is done ahead of project start. Thus, even if the implicit intent is to descope legacy for whatever reason, have explicit security risk assessment and clear agreement with stakeholders upfront.
The product might not be the right fit: The new product or tool might not fit into the existing technology and process landscape. Teams might be oversold to the product demos and fail to capture all key use cases. Hence, the new tool might work for the happy scenarios, but fail when it comes to negative scenarios. Thus, it is imperative to cover all use cases exhaustively.
Lack of skilled staff: Cybersecurity implementations need skilled staff, who can think through the user journey from both technology as well as functional aspects. Cybersecurity implementations have different complexity as compared to other technology rollouts. Hence, need experienced staff, who would have seen the ups and downs of Cybersecurity Transformations.
Cybersecurity implementations need to be seen from the lens of change management discipline. Benefits delivery will require systematic change planning ahead of even kicking off the project. Very critical to understand the change impact even before making a heavy investment so that we don’t struggle to deliver benefits after we would have implemented an expensive technology. Start from understanding AS-IS set up through what is needed from people, process and technology point of view to ensure that the implementations are successful. Remember, not just the implementation but the operationalization that would be key to the benefits delivery as project teams will disappear post the project delivery.