“These people, dressed as they are, come from all over the United States to make deals here in the marketplace of America, ‘Let’s Make a Deal.’ And now, here’s America’s top trader, TV’s big dealer, Monty Hall!”
This is how every episode of the game show “Let’s Make a Deal” began in the 1970s. Whether or not you’ve seen the show, you may be familiar with the so-called Monty Hall Problem. This probability puzzle introduces the following scenario: you’re a contestant on a game show and you’ve been given the choice of three doors. Behind one of the doors is a car. Behind the other two doors? Goats. You choose door #1 and the game show host, who knows what’s behind each door, opens door #3 to reveal a goat. He then asks you if you want to switch your choice to door #2.
Should you do it?
Thankfully, the man who posed the problem in 1975, American statistician Steve Selvin, also gave the answer: yes.
According to Selvin, under standard assumptions, contestants that switch to door #2 have a 2/3 chance of winning the car, while those that stick with their original choice have only a 1/3 chance of winning.
To put it both bluntly and simply, if you don’t change, you lose out on the deal.
At GreyCastle Security, we are often approached by companies that are trying to make multi-million dollar deals with large multinational corporations. These large corporations require that the companies they work with have strong cybersecurity programs in place because the vendor contract requires them to access sensitive information and the corporation wants to avoid any compromise of that data.
For the smaller company, making the deal often means making a change.
Nine times out of ten when these companies approach us, they have no cybersecurity program at all – and this leads to a “fire drill” situation where they now need to rush to put a program in place (or they’ll end up with the business equivalent of the goat behind door #1).
As a business, you need to have an evolving and organic cybersecurity program. Don’t let the lack of a formalized cybersecurity program get in the way of your business growing. Here’s what you’ll need to do to get started:
You’ll also need to be able to properly communicate what
At this point in our Monty Hall Problem, our contestant made the change. They switched to door #2 and won the car. Now that they’ve got this new opportunity – where are they going to take it?
What about your deal? When it comes to cybersecurity, making necessary changes to your program introduces new opportunities, but, thanks to security questionnaires, it may not feel that way at first.
When large, risk-averse corporations want to bring on a new partner or vendor, they’ll have their vendor risk management team evaluate whether or not the potential partner has their stuff together from a cybersecurity perspective. A part of this process often includes a 250-page document that asks questions about your cybersecurity program. Some of the questions within the security questionnaire document are relevant while others are not, but your success in growing your business with large corporate clients is dependent on your ability to give a satisfactory response.
Many companies don’t understand how to fill out these security questionnaires or don’t have resources available to fill them out accurately (including not having the amount of staff needed to fill out a growing number of questionnaires). There is also the added difficulty that questionnaires from different corporations may all be different, with different questions. It’s not unusual for companies to feel like they’re drowning in security questionnaires. The best course of action? Get ahead of these questionnaires by building a strong, foundational and formalized cybersecurity program that helps you address the issue proactively.
Being able to properly communicate what risks you may introduce as well as explain the compensating controls and security measures to control the risks you introduce should streamline the process and help you secure business with big clients.
The more business you earn, the more difficult your job gets in processing an increasing number of security questionnaires, but it also provides you with a golden opportunity to make significant and measurable improvement to your cybersecurity program. This is the silver lining.
Want to win more business? Then you’ll need to build a cybersecurity program that looks at your people, processes, and technology as well as understands the risks you have internally and the risks you introduce to clients. At GreyCastle Security, we help organizations become armed with a system to identify and categorize these areas. And those people in your organization getting hammered with security questionnaires? Their job gets easier because they have a formalized process.
Once your cybersecurity program is fully functioning and harmonious, your company can grow more quickly, with the added bonus of lowering your risk.
So… which door do you want to open?
Mike Stamas is an entrepreneur, Chief Business Development Officer and Co-Founder of GreyCastle Security. GreyCastle Security is the industry’s leading provider of cybersecurity risk assessment, advisory, and mitigation services.
With over two decades of experience in the technology sector, Mike pairs his management and business development skills with a deep understanding of information security. He brings a unique brand of risk-based advising to clients and prospects.
Mike holds certifications in numerous security and related areas, including the Department of Homeland Security and other security technologies like Symantec, Cisco
Mike also plays an active role in his community and currently serves as a Board Member and Vice President of InfraGard in Albany as well as serves on board positions for the Capital Region YMCA, Troy Branch