Not having a solid strategy to address your organization’s cybersecurity threat potential is the kiss of death for any business. Buying a solution that isn’t the best fit to meet your specific employee awareness and data protection training requirements is even worse. What you need is a business strategy that makes sense and ensures that both are met.

So you want to buy a cybersecurity solution. What is the problem you are trying to solve? Is it a one-time problem or a more important problem? How did you decide that this “problem” is the priority? Most organizations remain in tactical warfare: reactively managing tools, putting out fires, and this is their cybersecurity program. They decide what “problem” to budget for when a tool becomes useless or an expert tells them they need something to fix a problem. But if you don’t adopt and implement a framework to support your cybersecurity strategy, all you have is a mission statement. You’ll stay caught in a tactical war, reacting to the latest industry news and internal noise, buying more problem-solving tools when strategy is what you need.

Organizations of all sizes continue to suffer violations. Millions of dollars in ransomware are paid per incident, nation-states hold the upper hand, and organized crime gets away with it and laughs. What can we really learn? That we need to adopt a resilience mindset. A resilient business accepts the reality of a breach and creates “solutions” to quickly detect, respond to, eradicate, and recover from a compromise. Containment is key. Detection is the axis. If you stay in the bush, managing firewalls and other security infrastructure, chasing vulnerabilities and patching, then you will remain in reactive mode, missing the true Threat Actors.

Let’s get out of the brush and get serious. The real problems to solve are lack of time and lack of concentration. Frames offer both. Be proactive and choose a framework carefully, making sure it matches the context and culture of the organization. CIS, SANS Top 20, NIST, ISO and other security controls are great options, but for the right environment! Choose wisely, start simple, establish the basics, and then you will have a baseline to measure and develop. Implement a continuous improvement mindset and your cybersecurity program will become a resilient, dynamic, and adaptable ecosystem to keep up with the evolving threat landscape. Exceptional brainpower is required to select a framework and implement the appropriate “solutions” to develop this ability. This is the correct use of your team’s time, not the management of security tools.

Stop paying organized crime and instead pay the good guys, increase security budgets, and invest in your own army to defend and defeat the bad guys. Be realistic that you and your teams cannot do it alone. It is not practical, feasible or achievable. Leverage service providers for scale and efficiency and act as your force multiplier. For a fraction of the cost of more security personnel, you get consistent performance, subject to SLAs, and dependable functionality from a 24/7 operation by dedicated experts. Of course, you need to choose a vendor carefully, but when you do, you’re buying time – precious time for your team.

The best use of a cybersecurity professional’s talents are deep thinking projects on business and IT initiatives, not management tools. These include cloud adoption, data protection, advanced threat hunting, establishing reference architectures, evaluating emerging technologies, design reviews, and improving the cybersecurity program. This is how the organization shifts to a proactive and resilient mode. Hold service providers accountable for routine cybersecurity functions traditionally offered by tools but now consumed as a service. The result of those services is refined feedback for your security experts to make more informed decisions about your cybersecurity program.

Buying cybersecurity the right way means starting with a risk analysis. Ideally, this includes current, informed, and mature threat models. This is just the beginning as it should be an iterative process. Risks change over time, as does analysis. This defines the strategy, and then a framework must be chosen, defended, and implemented that sets the strategy in motion. Choose carefully! It will be the foundation of your cybersecurity program, and early success is vital to continued adoption and support. Being overly ambitious, draconian, or not considering company culture is the perfect recipe for failure. But establishing a proactive and adaptable program based on a framework brings resilience to the 21st century business.

The recent stories from FireEye and SolarWinds give us all a serious wake-up call to the reality of cyberwarfare in the 21st century, as it is much more than a story of “yet another breach.” Your business depends on IT to provide services, orders, goods, earn revenue, and you are connected to the Internet. Accept that you are a gap that will soon occur because this is the new reality. Embrace a framework to deliver an adaptive and risk-based cybersecurity posture.

That is the essence of cyber resilience. Focus on better threat hunting, data protection, incident response, and continuous improvement. Make informed decisions from tool production and buy them as a service, which is a much more efficient use of time than managing tools. Let the experts manage the tools, allowing them to focus on the information in the tools to see the bigger picture of threats.

Think holistically about the business and silos. Establish a reference architecture built on a framework. Increase budgets to move from a reactive to a proactive stance using the scale and expertise of service providers for all the basics. Focus your team’s efforts on more advanced and much-needed areas where you can best utilize your excellent brainpower.

Save time for your team. That is the solution to your cybersecurity problem.