Fresh Thoughts #119: Is Your Service Provider Treating You as a Pet? Or Cattle?
- Newsletter
One of the enduring analogies from the move to cloud computing is pets vs. cattle.
The analogy goes...
Before cloud computing, we treated our IT equipment and servers as pets.
Indispensable, unique, and precious.
We "hand-fed" them.
Tending to their every need.
But with cloud computing, everything is replaceable.
It's designed for failure.
There is no tending or hand-feeding.
The IT equipment and servers are cattle.
Living in a rural area, I hear the analogy daily - in people's language.
My octogenarian neighbour is a farmer.
She talks about the cows in the fields as "beasts".
As a mixed farm, there is a cycle.
The cows arrive in the early spring.
Grow over the summer.
And, finally, they are sent either to market or into a dairy herd in the late autumn.
While she has considerable compassion for animals and will go to great lengths for their health and welfare, there is no denying that by late autumn, they will all be leaving...
And replaced next year with new cattle.
Each animal is replaceable.
Efficient operations are crucial.
In contrast, the nomadic shepherdess, whose flock grazes the under-used land around our village, refers to her sheep as "old ladies".
Each ewe has a name and a temperament.
Losses are mourned.
There is no replacement for lost friends.
New ewes are brought into the herd as new individuals.
Efficiency is a consideration, but it is not a driving concern.
MSPs Treating Customers as Cattle
I've been thinking about this analogy recently as I have worked with more and more IT Managed Service Providers who have recently started offering cybersecurity products and services.
I was recently brought into a discussion with a business owner and their MSP.
The business owner lost trust in the MSP and refused to implement their security measures.
The conversation began...
[MSP]: Here are the security measures we will implement.
Me: Ok... What are the critical threats they mitigate?
[MSP]: They follow NCSC best practices. We use them ourselves, so they are good.
Me: Hmm... Have the security measures been adjusted to your customer's business - in any way?
[MSP]: No. They follow NCSC best practices.
Me: Hmm... Have you spoken about your customer's business priorities and day-to-day operations?
[MSP]: No.
Me: Hmm...
Unsurprisingly, the proposed security measures blocked many of the business's day-to-day processes.
And stopped the business from operating efficiently and effectively.
The business owner was fully justified in refusing to implement the security measures - as the business would have shut down overnight.
This is only the latest and most obvious example.
However, I see a recurring pattern of MSPs treating their customers as cattle.
Pushing - "This is how you must do security." - without considering their customer's business.
Final Thoughts
We have been through this before.
In the early days of cybersecurity as a profession, there was an ingrained approach of finding all the ways to say "No. You're insecure.".
But, in time, we learnt that the business always decides.
Is the risk acceptable?
Risk decisions are unique to each business and context.
These decisions cannot be generalised.
When it comes to security, MSPs need to learn to treat their customers' businesses as irreplaceable pets...
Not cattle.
May 21, 20243 Minutes Read
