It is amazing the number of times I hear of organizations switching from one SIEM platform to another, only to have the exact same problems that caused them to switch in the first place. I am here to tell you that the grass is not always greener on the other side.
Some of you might be familiar with the 1993 Harold Ramis film “Groundhog Day”, starring Bill Murray and Andy MacDowell. For those that are not, here is the general theme, a weatherman gets stuck in Punxsutawney, Pennsylvania and relives the same day over and over, only to realize that you have to make changes to expect a different outcome. I would suggest that this is the perfect metaphor for organizations that switch SIEMs only to relive the same mistakes again and again.
The reality is this: you get out of something that which you put in. The reason why organizations fail with a particular technology tends not to be the technology itself, but the people and business processes in place to leverage the technology. To be clear, I am not suggesting that there are not unique competitive differentiators in SIEM technologies. However, organizations need to be able to look in the mirror to determine if the reason why they want to make a change is in fact the technology or the people and processes in place to support them. You might be surprised with what you see.
The SIEM companies do a fantastic job of marketing and selling feature sets and capabilities that may in fact be simpler or more cost effective compared to an incumbent. For example, I heard one vendor recently tell a company that the technology would be fully operational in less than 6 weeks. After the vendor presentation, the client and I sat down and discussed the “claims” and together we came to the same conclusion – it would be more like months if not a year to get to the same point that they are at today. Why? Because people cannot drop what they are doing and devote 100% of their attention to re-implement on a new platform and cutover from an existing one. And if that wasn’t enough, try to do it without duplicating existing staff functions and devote time to keep the feature sets in sync.
In addition, there are the following challenges that most organizations face: training and education on the new technology, content/use case re-implementation and testing, executing controlled change and other governance procedures (audit, design certification, security assessment), operating and maintaining the existing solution, and ensuring that the new solution creates equivalent or better business value for all users. Needless to say, in a large multinational (or even a small or medium business where people juggle even more tasks), this is a daunting task.
Even taking these factors into account, staffing up to handle the transitional workload introduces risk. Too much outside talent on the new implementation effort leaves the existing workforce out of critical decisions and learning opportunities. Bringing in outside talent to manage the currently operating platform burns time for the existing team to get contractors up to speed. The former scenario may get you on-time delivery but leave your current staff under-prepared. The latter may better prepare your current staff but could wind up burning just as much of their time as they would have spent without the added headcount.
Most technologies are bought on pure emotion. Sure, we rely on features and functionality to justify our decisions, but human beings generally do a poor job of estimating the impact of major changes to their environment. In addition, they rarely consider the possibility of new and poorly understood problems created by their inexperience with a new platform. If you are one that excels at this, you likely have not experienced this “Groundhog Day” moment. But if this metaphor rings true to you, you might want to consider hiring an outside party that does not have emotional attachments that you and your team might possess to provide a true vendor agnostic point of view on your unique SIEM problem set.
Since 2012, we have been providing our clients a fresh perspective and have saved them millions of dollars in time, energy and unnecessary “grass is greener” investments that would not have realized the business value as promised. If you need a little therapy, a sounding board, or just can’t find a good introspective mirror, by all means, schedule a free 30 minute consultation with one of our SIEM experts to talk through your decision and make sure you’re actually creating a new future. Should you elect to leverage our experience, I assure you that there won’t be another “Groundhog Day”.