When most people hear or use the phrase “dealer’s choice,” they interpret it to mean that the person saying it is deferring entirely to the whims of the person to whom it’s being addressed. For example, two friends decide to go out for lunch. One asks where the other wishes to go. The deferred-to party replies “dealer’s choice,” relinquishing all decision-making power (without reservation or consequence) to the asker. It’s a simple English phrase … and it’s often misinterpreted.
If you look up the actual definition, there’s more to it than just letting the card dealer call the game that’s to be played. It also includes “…any special variations or unusual rules, including setting the stakes.” That doesn’t seem like much of a change at first glance, but it actually makes a huge difference in how the game is played (regardless of what the game might be). Why does this matter? Especially in a cybersecurity ‘blog?
Because this is how the security game gets played in the FORTUNE 500. If you don’t understand the rules of a game, then you can’t possibly win it.
Here’s the thing: in a small company, the head of IT decides how the organization buys, deploys, monitors, and takes action on all security equipment and practices. The IT Manager (by whatever title) usually does double duty as the day-to-day operations manager and the “security guy.” Once a company becomes a medium-sized organization, the security group usually gets split off from the IT operations group – as it should be! – so that the creative tension between the two competing teams helps the executives to make informed and balanced decision about security practices. Still, a medium sized company only has one go-to source for acquiring, deploying, monitoring, and acting on security equipment and practices.
But in a large company … in a large company, the equation changes. There may be only one official IT department and only one person wearing the CISO title (or CSO; whatever), but there are many, many ways for IT gear to get placed into production. Every division and every campus in a large company has some degree of autonomy. Every executive with budgetary authority can spin up his or her own IT solutions on a whim (especially now that Amazon Web Services may as well be a Coke machine for how easy it is to use). Every CXO and VP and Managing Director in the company has the ability to deploy his or her own shadow IT capability, all without the knowledge, approval, or oversight of the CIO and/or the CISO. That means trouble. It may be done for all the right reasons, but it’s trouble all the same.
This is where that simple phrase comes in to the story and why it matters. It is imperative that you partner with someone that seeks to understand the internal operations and whether or not the solution and plan fits. The service provider’s rules are simple: dealer’s choice … however…the service provider needs to act as a partner and know that what’s being deployed is right for the client’s business as a whole. If you partner incorrectly, the service provider’s (or VAR’s or consultants’ or integrators’) see this as your problem and not theirs. It’s imperative to partner with a security expert that strives to understand the clients holistic needs and definition of success AND also maps the effort back to a true business use case and value add to the company as a whole.