The Art of Choice: A Guide to Informed Decision-Making

I am excited for activities today. Hopefully you'll peak. Sure. We'll be able to pique your interest and get a, generate more questions than you came in here today. In a good way.

Yeah, we go from there. Okay. Yeah. Matthias Reiner, I'm the director of the practice IAM, but more importantly, I'm the head of advisory. We want to talk about the guide to informed decision making. And for the first slides I want to hand over to Christie, but I want to quickly show the agenda. So we are looking into four segments for today. We have 90 minutes planned.

Actually, we have 400 minutes planned because we failed to do the math. But we will make this anyway. So we will start with the introduction. What is this session about? It's about choosing the right tool. There is no magic about that. And the end of the session, if you want to leave it right now and say, okay, 90 minutes is too long for that.

It's not, do it properly and do it for your organization. That is the main essence of about that. So what is at stakes? We will have a look at the five phases that we as scooping a call or as Analysts or as just people who have done that before. Suggest for this, we want to do a quick exercise with a team of you. No writing of cards, just talking to us and and finding the right solutions and the right questions in defining requirements and vetting vendors. What would be questions to ask to your vendors? And the conclusion would be the informed decision.

And with that, I hand over to Christie. I appreciate it. Thank you. Okay. This can be entirely rhetorical, but I want you to think about this in your mind. Have you ever been in a situation where you've had a failed implementation of a tool? Why was that? Because if it's not an if it's a when, why was that? Have you thought about it since? Were there things that you wish you could have done better or the resources that you wish you would've access to? Yes. Those of you who are familiar with cupping or coal, we do offer resources as such. This is your main guy here. So you're very lucky.

But not only our advisory services, our research, our digital tools, we have several offerings to help you through this process. Because while buying things may sound fun, 'cause shopping is amazing, it's a very tedious process that has major repercussions.

You know, even if you don't do something, not doing something can have those repercussions, right? And the last thing that we want to do is to negatively impact our organizations.

So again, those of you, sorry, who are joining online, feel free to post any responses to questions we have as well in the Porwal. And then we can engage with you as well, Right? Just for the hand signs, just to answer the question with yes or no. If you say yes, would you kindly raise your hand? Has this happened to you before just choosing the right tool before? Because you did Not. This is safe space guys. It's okay. We've done it. We've all done it. Come on.

Of course, right? Oh yes. And not yours.

Yeah, yeah, of course. Yeah. Why is going through this process important? Why can't we just look at a leadership compass and pick the highest ranked tool? I trust our Analysts, I think they're smart. If they think it's the best tool out there, then it should work for my company. This isn't always the case, right? Everyone's company is different, every industry is different. Every impact could be different. And so we need to dig a bit deeper. We need to do our homework, be a little more diligent. It's very tedious, it's very stressful, time consuming, and costly.

So how do we mitigate all these risks? Why do we mitigate all these risks?

So, big elephant room, why is cybersecurity important? This is a question that you're gonna be asked by your business on a daily basis, right? Why do I have to do this at my company? Functionally, we're fine. We've had no incidences. We're not a big target. I don't wanna spend money on this. Why is this important to me? Professionals in the room. We know these answers, but how do we articulate that to the decision makers? What's the impact of not doing something or doing something that doesn't align with your organization? How do you tie that to your business goals? You're a large retailer.

It's important for you to be online so that your customers can access your shopping cart. So what does downtime mean to you? Loss of revenue. It all ties back to cybersecurity. And you have to do these exercises to figure out what is the impact of what you want to achieve on the overall business. The complexity and variety out there is insane. More tools, more problems. You talk to any one of our Analysts and they're tracking than any kind of topic area. They're tracking hundreds of vendors all saying the same thing.

I don't know if you've looked through companies websites, but it starts to get redundant, right? Same marketing jargon, same conversations. But how do you dig deeper? How do you understand the truth behind, you know, the sales pitch, the strategic alignment piece. How do you align everything again with your business? How do you make more efficiency within your organization and free up resources that can accomplish their tax?

I mean, I don't know about you, but teams are small sometimes. Sometimes folks are doing two, three jobs. These decisions and selecting the right tool impacts that. And then the empowerment through the informed decision process.

You know, if you have a clear framework, if you've done your research, you understand what success means for your organization and how to get there, at the end of the day, you're gonna look great, right? You're gonna accomplish all of your goals and then get more funding next year and enable yourself for success down the road. So I will ask this question.

You sir, I apologize, I didn't get your name. The one who answered the question about you've had a failed implementation. Would you care to share what your experience was with that implementation?

Oh, I'm losing you. Don't worries. Ask yourselves then. What are the issues you've had experience with tool selection? This can be rhetorical as well, but think about it right now. And my team, we're going through this process with a particular tool, and I guarantee you every single department that I talk to has their own requirements, their own qualms, their own issues. It's a difficult process. I'll hand it over to Mr. Matthias to talk about how you tackle that process. Thank you, Christie. I need this one. So what I want to present is something that is at the end of the process.

These are learnings that we did or made within Kuppinger coal without co, outside of Kuppinger coal. It's just lessons that we think are worth sharing because maybe you can re-identify some of the issues that you might or might not have had before. And from the, from the, these are the headlines. I hate animation. So this is all already there. So I just want to talk you through these five key findings because I think these are the, the mistakes that are made. So first of all, take enough time.

And Christie mentioned that, that these are people who are stressed to have more than one job who are doing that. And it's not their core business to make such a selection in many organizations, especially in smaller ones, but unfortunately also sometimes in bigger ones where the experts are experts in many areas. So the problem is to underestimate the complexity of such a, such a process and to really get to rushed decisions other than just making sure that you really have the right information at hand. Skipping essential facts steps within that process is an issue.

So then, and, and we will show these steps that we think make sense. This is an opinion. This is not necessarily something that you have to agree with, but this is something that we have seen to be working.

If you do, don't do these stops steps properly. You are compromised on quality that is an issue. And you are ignoring the long-term impact of such a decision. You're not choosing a tool for today. You're choosing a tool, a tool for the next 10 years, most probably. And sometimes you just don't look at what the vendors actually tell you and what the, what they are answers are to your questions if you ask the right questions and what they mean for your business. So taking enough time is important for just getting to this informed decision making process.

Second one is really avoid over emphasizing specific situations or processes. When you are in the situation of choosing a tool, you might have an issue. Right now there's an audit issue. There is an efficiency issue, a cost issue. And that is the reason why you are starting that process. But you should not only focus on that, you should make sure that you take, look at a, a holistic strategy looking at what does that mean for the future?

Does this solution, once it is implemented and has solved the problem, the initial one, does it scale to my next problems that these types of products might solve? If you do not do that, if you just buy a thing that helps you in I'm I am guy in getting better in recertifications, does that also help when it comes to user behavior analytics later on? Is does this do this as well, good or not? So is there innovation built into that system? And if you're just looking at what you are needing right now, you're building on your current knowledge.

So, but, but I expect all of us to learn from day to day and having a solution that is capable of implementing the stuff later is important. Very closely related to that, but a bit different is the resistance or the, the, the, the focus on, on, on the status quo that you think, yeah, my processes stay the same as they are because they work for 10 years now, so they won't change. So let's buy a tool that helped me in that.

No, with this, you are negating, neglecting market trends. You are not looking at what sometimes the Analysts are telling you, what will be the next good thing that can help you. It doesn't necessarily have to be generative ai. It might be something at some somewhere else. Just pattern matching and good computing power might be something that can help you. So limiting the technological advancements to, to also make its way into your organization is really an issue. So not only look at the status quo, I think the most important part is the fourth one, you are not special full stop.

Every organization thinks it's special because it's different. Somehow.

Yes, it's, but the, the bigger picture is not for many cases. You can learn from best practices and when you're special, configure, adapt, augment, integrate, but do not choose a solution based on your being special and do not tailor a solution on being special. So I think these are the two most important facts that we usually see.

So if you are creating a solution that just solves your problem because you're special, you will not be able to scale it up to update it to, to to increase or to improve your problem solving, solving for the future because it's sometimes just difficult because it's all coded into the product. And in the end, we are talking, for example, later in this event about N two, which is about sharing cybersecurity information about incident information with others. If you have a special solution, that might be difficult because you are special.

Final thought in that context is a new tool will not solve all your problems. The tool can help you. But just by buying a tool does not help you in implementing that. This sounds like a truism, but you need to change your organization, your target operating model, your policies, your processes, and then use your tool for implementing that. The better you are already for this, the less work needs to be done. But I assume there's still a lot to do to make sure that tool plus processes, plus policies, plus training plus education together can only help you in solving an issue.

So organizational change might be required and the integration challenge is always often underestimated to say I buy a SIEM tool, which is great, now I have all the information at hand. Yep. But they need to get in there. This is integration. So make sure that all this is done properly. And that is the five key learnings in retrospective of projects that we've seen where just things did not go too well. And as we said, this is a workshop then I would hand back to, to, to Christy and hopefully we are happily enough, we have more people in the room.

And I will check the comments right now once I have not like looked at my notes, but we want to get interactive. So we really encourage you just to, to provide feedback. 'cause we are a little group, we have a bit on, on site or, or remote. So let's get more interactive.

Yeah, definitely. I will say while Matthias doesn't like animations, he makes some good graphics. So the next two were courtesy of Mr. Matthias in chat. DPT. So tools could be a double-edged sword, right?

It's, it's a fine science. Matthias talked about the methodology around selecting this. I said not all companies are just the same. Doesn't it kind of like go against one another?

Yes, it's the same practice over and over again, but for unique instances. So you always have to keep this in mind so you can have an objective of capability. You want to make sure all of your processes are working functionally. There's no disruption. You want to ensure that if a situation happens, you have a go-to, but this could also create dependency. So maybe your organization is a little more apt for risk and they went with a startup two years down the road. The startup is no longer around, but you're completely dependent on their tool. What do you do? Then?

You have to make these plans. Innovation versus a disruption. Great. Everybody wants to do the newest, brightest, biggest thing. Everyone wants to come out with something first. Everyone wants to brag about how they are the innovators in their organiz or organization market, what have you. But are you taking into account what is functional right now? How your teams work their day to day. Is this gonna be more disruptive at the end of the day or is this cool new tool actually going to enable them solutions versus new solutions?

Again, is what you're doing today functionally required or functionally justified? You could be creating new problems, you might not have the resources to manage and monitor these tools.

I mean, you might not have the intel. I mean, I'm thinking of Target, right? It's a big one. Everybody knows they saw the anomaly, knew something was wrong, didn't know what it was, didn't address it, and it became a larger issue down the road. Empowerment and skill gaps. That kind of leads to that, right? Are you enabling your teams?

Yes, our teams might be small, that might be overworked, but is this going to solve their problems or are you creating more problems because you don't have the the resources or skills to fill those gaps? Money in a previous life, I I helped assess a large insurance company in the US who after previously mentioned breach got a large funding grant for cybersecurity and they went tool happy. And a few years down the road they find themselves in tool sprawl. Nothing's talking to anything.

Creating a, a larger gap, more money down the road, having to add more resources to manage more tools, buying more tools, subscribing to more tools. Is that really functional for your organization? Are you saving more money down the road? Are you costing them? And scalability versus complexity? Matthias mentioned, you have to think about the future, not your today, right? Where's your organization going to be in three, five years? Yes. Something might be functionally okay today, will it be tomorrow? Will it grow with you? Will it shrink with you? All of these things need to be considered.

Again, this is why you can't just look at an lc and pick the highest ranked one. You have to do your research. You have to ask the hard questions. You have to seek out help with organizations like Kuppinger Coal to really figure out what exactly you need versus what you want and versus what's gonna really impact your organization positively down the road. So I'll take it easy on you right now. We can make this rhetorical 'cause I want Yes, please. Could you flip back to the Yes. Previous one. You know what I miss Please? The direction there needs to be a direction statement. Okay.

And this direction statement would say, which would, from my perspective, give an answer to many of these ones. And this is what I am thinking for a longer time entering the cybersecurity environment. It's the overarching term of simplicity. Because what we see is, and you can listen to many of the discussions we always come across, then complexity, many tools. Yeah.

And as I, I raised my hand when I said of course we have experiences what it means to introduce tools. Yeah. So I remember for instance, the company where we have been introducing SAP was a nightmare.

Yeah, it was a nightmare. You needed more people after than before kind of job generation. But I think in order to to, to give it a direction, I would love to measure each and any activity against the target of, is it now more simple than before or not For me, this would be a very, very strong direction. The kind of, how do you call it? Gradient? Yeah.

You know, developments only happen along from of gradients. So in here we would have to think whether we introduce a term of simplicity and check each and any of our decisions. Would it lead to more simple? Because more simple means by the way, more secure. Yeah. If it is more secure than we exactly achieve what we wanna achieve. So would you talk in your talk about simplicity at all? I can leave that up to Matthias a bit about the simplicity of it. He will go more in depth in the topic in a bit.

I think simplicity, that the term simplicity is not used, but it's it's hidden inside terms like automation, efficiency, no, Automation could also be very complex. Sure, sure.

So that's, that's why my statement is, I I just make a call, a general, a generic call. Maybe we introduce this term and measure ourself against, I know there's no metric, there's no standard, nothing like that. But maybe it's high time for the cybersecurity community to think about simplicity. Okay. Yeah. But challenge taken. Thank you. Other opinions, especially around this topic of adding simplicity as a criterion, as a metrics regarding measuring cybersecurity. Anybody?

No, but, but, but I think one aspect that is also not on that slide, but, but I really, I will take that because this is why I'm, this is why I'm here. I want to learn from you.

It's, it's really that this slide might look in the first place to be more too much tool centric, but, and not too much strategy, strategy centric. This is a word.

So, so simplicity might be part of strategy and of measuring how a, a strategy works and works out and works out within an organization. But, but if I think on the other hand, as a counter argument, if you think of something like SST Duke just coming around the corner and adding new levels of complexity, things won't get easier in the first place because you have more requirements, more obligations, more, more things to do. But they need to be implemented simple. And that's the reason, that's the point where it comes in.

Again, there will be more to do you, you've mentioned sub as a, as a, as an employment machine. Yes.

Be, but you're lo solving more problems. Yeah.

So, so, so that there there is, there might be a good rationale behind that. If not, then you have an issue. But simplicity is a good aspect here. And if I am interpreting copyright, Copyright, yes. There You go. There you go. It's on camera. It's good. That's kidding. But I really think it comes to my mind if you travel around, I'm 31, 32 years in technologies. Yeah. And what I see is a, a growth and complexity. So a little bit away from simplicity. And maybe it's even a corrective. Just a corrective, it's a counter direction you can always measure against. Yeah.

Okay, Great. But thank you, thank you for that thought. Yeah. And it's good to break out. So we have a plan, but the best workshops are those where we scrap the plan. Yes. Okay. But getting back to you.

Yeah, yeah, absolutely. No, and I think it's completely valid call out.

I mean, simplicity in this sense can go across the board, not only from a tools perspective, but like he mentioned a business perspective. You know, if you have a low adoption of the implementation, it's not really effective. You could have had a great implementation phase that went beautifully. But then at the end of the day, are people are, are you able to, you know, get all the applications that you need on the tool? Are you able to encourage folks to use it properly trained and develop and create the documentation around it?

I mean, it could be tedious. And so simplicity should be throughout the entire process. I agree. Thank you for that. Yeah. What I was gonna say, this is kind of leading into our, our broader conversation, but, and I keep bringing up the business piece 'cause that's my side of the house, the impacts of tool selection, our across the board, right? So when you're going through this process, and this is creating your business case, right? How is this going to impact your company? Are you in the requirements gathering phase, talking to the different departments that this is going to touch?

Are they understanding what's going to happen? What needs to happen? Are they trained up and equipped to make it happen? Is it going to benefit your organization at the day? Or are you just gonna cost them millions and sit on a pretty fancy tool? How is it gonna impact your team? We talked about this earlier, you know, is it going to free up their time to let them work on projects that they were hired to do? Or is it gonna create a larger skills gap and more problems at the end of the day? How does this impact you?

I mean, if I'm gonna get famous, it's not because I had a breach at my company and I didn't do the appropriate research and implementation. And how does this impact your customers? Obviously it's not in any particular order. How is this going to affect them? Is it going to affect their experience with you? Is it going to affect whether or not they want to engage with you? Is it gonna make their life more difficult? Is it simple? These are all very important things.

I mean, sometimes I know we can get really bogged down in the technology piece of it, the cybersecurity piece of it, but what you do impacts the entire spectrum of an organization. And so you really need to think about your go-to market and whether your decisions align with that. Okay. Now the fun stuff, I don't know actually we, we have some, we have some time left, which is great.

Okay, I go back to the, to that picture. We have experienced pros in the room.

I, I, I'm, I'm trying to ask the question. So, and we are talking about cybersecurity today. So it's the cyber evolution. We are in the pre-conference workshop and sharing expertise from, from your, everything that you want to share.

Not, not, not obligated to do anything like that. But when you look at introducing a tool and out there, there are these vendors and they're selling stuff and this stuff is great, but it needs to be well integrated.

Are are there other stories that you would like or experiences do not call it stories, experience that you want to share where you underestimated some of these aspects that are in this dotted list of com impact to company, to team, to you, to customers that, that you had or had not on the radar that that really had some influences on your business afterwards that you want to share with us? Anything that somebody wants to dare to, to share with us. Because this picture, this is what you get.

If you, if you ask many stakeholders and you do not moderate the, the requirements analysis, this is what you get. And the question is, what is important of these?

All, all, all of these gadgets that are in this Swiss army knife, drilling it down to the right selection of these gadgets and getting to a solution that really works for your organization and then has the proper impact to company team you and your customers. That is the actual art behind that. And after that workshop, you can, you will get that slide deck and you will get these steps that we suggest to execute. But this is just as a, as a guidance, as a help for you. There is no hidden trap behind that to say, okay, now you have to buy it from us.

No, you don't have to. You can do it yourself. And that's the reason why we're doing the workshop. We want to enable you.

So again, this question, I've been rambling a bit to give you time to think it over. Any story you want to share with us, anything in the comments I'm looking at yasin, nothing.

Okay, then we have to tickle your tongue a bit more. And then let's go to what we consider to be the five important steps regarding yeah, the, in the phases of an enlight enlightened choice, which is of course a bit tongue in cheek from, from the wording here. But this is the proven methodology that we think you can take home with you. And if you want to have some examples, some questionnaires, some, some Excel sheets, just ask, we have these and we give them readily away. That's not there. There's no hidden source, secret source, hidden agenda behind that five phases.

And I want to talk quickly through these because I, this is how we do it and we see that many organizations are, are doing it similarly. And that also reflects these five mistakes that can be done during that I mentioned earlier. So that this is really what we want to make sure that you do it properly. So the first thing is an assessment phase, the information collection phase. And this is really where you need to take your time.

This looks at different aspects and this looks at different dimensions when it comes to choosing a right tool or maybe getting to the conclusion that you don't need one. Because it might even lead to the, to, to the message that you, if you do a proper portfolio analysis, you don't need anything. You just need to use the tools you already have. And if you don't have them, this is part of this analysis phase, then you can say, okay, what is missing? What do I need to add? Is there something to rip and replace?

Is there something to integrate with, something to augment with or some, something we just didn't have before because the market is changing. So it's a structured analysis based on a well-defined reference that you can use. There are lots of references around. There has been a workshop in this room, I think before where you, that, where such a, a reference architecture has been presented, use something like this, use ours, use somebody else's, I don't care. But have a reference architecture in place and look at what you really need. What is there, what is fulfilled, what is good?

What needs to be added? So structuring into blocks and areas and really assessing these areas, that is very important to really understand what do I need and what is missing? Prioritize the, the picture that I've shown before of obviously there was no prioritization because this thing would not make any sense for any organization. Even if you map that to cybersecurity technologies. Next step would then be the enterprise analysis. That is what I'm saying. Where are you? Where do you have the needs? Maybe even where can you support your business?

Where is the message to tell that the organization can tell to the outside world, we are more secure than our competitors, which is a good statement. And people are more and more buying this. This has not been the case 10 years ago, then sexy was good, secure was not, that has changed at least a bit. And on the other hand, do a proper market analysis. Understand the market, go to those who know to the Analysts, maybe us, maybe others, don't go to vendors in the first place. They will tell you what they have. Go to somebody who's neutral and there are others around.

There are us, there's many to use from and use that knowledge and create that and build upon that. So once you have defined this proper understanding of where you are and where the markets are, where the requirements for such a new tool are and how the market looks like, how to fulfill this, this is the end of this first phase, this assessment information collection phase. And ideally at that point, now you understand market, but everything I have said before that you can get to something like a short list, a short list of products slash vendors that you might want to assess starting from that.

These are the first two phases, enterprise and market analysis and assessment and information collection phase that build upon each other. And that is something without looking too much into actual solution, but just understanding what is required from your perspective and only in the, at the end, at the market analysis phase. And looking into, yeah, getting to a short list that is where you sometimes are looking into individual implementations, but hopefully not already having some pros and cons, just understanding, okay, that could fit. So now let's do the proper analysis.

Proper analysis also means that you get to a good set of questions that represent your requirements. What is for you important, what is for your team, important, what is for your stakeholders important? And boil that down to a list of questions that you can in one form or the other, ask the vendors. And this is something, this is something that we want to do later with you, hopefully that works just to, to, to see what are questions, what are requirements when we pick a typical product of the cybersecurity market. That would be on the top five slots of your questionnaire.

Just to do that as an, as an as an exercise maybe later. Once you have these questions, once you have that shortlist, invite good vendors to, to talk to, send out these questionnaires and then make sure that you understand what they're doing. I'm just trying to check this, this is exactly what I've presented before. So on the first, on the first one, is there a no, there's not. Okay. To the left, you have the first, the first column, which is your strategic scoping and strategy might also include simplicity.

That, that is surely a good point. So really understanding what is your strategic scope and using reference architectures, using reference models in having them in place and mapping your requirements to that is something that really helps from our side. So you get from the strategic scoping, what is the problem I want to solve to what does that mean for my organization? The enterprise side, the middle column.

And then understanding what is the market providing to me as a, as a solution as of now or maybe in the next two years, ask somebody who has a neutral view on what can be expected within the next six months, nine months, 12 months. So really to look at the market sites, to look at the providers and products at the services where they come from. That is always an important question. What is this vendor's origin? Why are doing, are they doing what they're doing? Are they maybe focusing on a specific industry? And what is their strategic orientation? Where do they want to go to?

Is this something that augments an existing solution? Is this a a platform that does everything and that needs to be differently integrated? All this are the aspects that we look at. I've said that before that it's a, a more detailed version of what we've seen before. So vendor communication and vendor presentations is the next part. You have a questionnaire, you understand where you are, you have an understanding of the market, at least the rough one. And then you want to reach out to the individual organizations that provides these services slash products.

So traditional work and, and, and I, I think there are people contradicting that I have not heard a good point against that is the good old questionnaire, the good old RFI process that helps in understanding and answering the questions that are of importance to you from the two columns to the left on the last pictures. So have a questionnaire, have a good communication to the vendor sending out that questionnaire. Not 500 questions. 80 will do 80 important ones. Evaluate that questionnaire, ask the really interesting ones to present today, virtually team session, one hour, one hour demo.

And then assess the vendor's presentation and their products. And then now that you're already starting from a short list, getting to a list of just a few ones that you want really want to do further work with. And after each of these steps, there should be something I'm saying that just to make sure, let's hope somebody is in the room who has speaks better English than I do. There is a, there is something, there is a, there is, there is a place where you can say, okay, stop. I don't need this. There is no vendor in place. There is no good solution. Let's wait for a year.

Let's check back whether we can do it differently. So there should be a, a, a a means to say, okay, let's, let's break here and, and do that again later or never, just to make sure I've understood. I know I I want to, I don't want to con continue. That is a fully valid solution here as well to, to, to move forward here if you do the full process. The next thing we really recommend as a proof of concept a asking and inviting a few, just a few for a reasonable proof of concept.

And the proof of concept is not something that actually already onsite solves real life problems for you, demonstrates that they could do it. That they're, yeah, that they have use cases that they can execute upon that make you confident that this is the right tool, the right team, the right solution, the right organization behind that. And also the chemistry with the people on site is working well. So it's really soft factors and hard factors to look into.

So key is, and this needs to be done properly. So just again, take your time to define the right POC use cases, and these should be no more than eight to 10 or something like that. So it's not, it's not a real life solution, it's just making sure, please demonstrate that we want to have a, again, I'm an I am guy an an, an immediate access review as an example. And that should be triggered by A, B, C and demonstrate how does, how does that look like? And translate that to the area where you want to look at right now.

So these would be the questions in the end, then a presentation to say, okay, yeah, we did it. We had eight use cases, we fulfilled them all. And then you are to assess that final phase of these phases is the communication part. This is where the team that does the actual tools choice process, this enlightened communication thingy actually makes sure that the message is conveyed to those who have the money, who have the influence, who have the power, who can change processes, who can implement, who can make sure that a long running implementation project can also be spawned.

And I think that is true and we've mentioned that before. It's not only the price of a, of a piece of software or a service that you have to pay. You need to pay for the implementation process. And that could exceed the actual amount of money to be spent twice, three times, four times easily. Because just again, buying a firewall and having the shrink wrapped box lying there does not make your organization safer. And just as a taking example from the early two thousands, we don't have firewalls anymore. Not too many, but just doing it properly.

That's, that's the way that you should move, move forward and how you should do that. And I think this is these, again, quickly get back to this slide. So this is the tool selection process that we suggest and that we would like to recommend to you do it, do it on yourself, do it with partners, do it with anybody, have a tool supported wherever possible. But follow these steps and start with a proper assessment and the information collection phase, this is where everything starts. And don't think of tools in that at that time.

Just think of what is my issue, what are my challenges, what do I want to achieve? And achievement could be compliance, difficult to argument towards management could be more secure or even difficult. More difficult. Could be business enablement, could be time to market, could be speed in implementing new solutions and making that secure much better story to tell and then move through the full process, through the analysis phase, through the vendor communication to proof of concept well designed and to a proper management decision to make sure that they get the information that they want.

And a one slide presentation for those who have only seven minutes to spend a five slide presentation for those who have 20 minutes to spend and a good presentation for those who have the money to spend. Moving on defining requirements, and this is the interesting part.

Now we, we, we need your interaction. So what we want to do is we want to have a group activity.

And I, since we've been talking all the time, we need to make you talking and I have some colleagues in the room, they will make you talk. So first of all, starting with what is on that slide, what is the next thing that you would like to acquire for your organization make up?

One, not, not, not, not, not real life tools. We made two examples with, it's just a privileged access management tool or a managed detection response tool. What is on your list of the next big thing that you require when you're talking to the vendors outside? Anybody? Come on. So the traditional IGA part who has this in place and it's already a good work? Well working, who has a good working I-G-A-I-A-M solution that does provisioning all of lifecycle management. Is this working already within your organization? So you need one, you need to help me now.

Oh, okay. Okay. Any other and any other opinions? This is cyber revolution. So maybe also something leaning to more modern tools.

Modern, yeah, looking at the at at the, at the team. Otherwise we, we say something and then you need to find good, good requirements that you would like to look into no matter which area you look into. I say we go with MDR, I think this group could have a high capacity for talking about those requirements. Right. I'm looking at you sir. Make it simplistic. Okay.

Okay, okay, okay. Yeah. So we can take a few minutes to discuss. Okay. Is everyone familiar with MVR? Yeah. Okay. So off the top of your heads, and we can do this as a large group if you're okay with that.

Yeah, sure. Along with folks online as well. Feel free to message in what are some requirements, what are some the whys of implementing MDR, What would be the four first requirements that you would see, okay, an MDR solution needs to fulfill to make sense for your organization. I know this is tough standing here with a microphone waiting for you to speak, but you're experts.

What, what, just one, what what, what are the, the threats that you want to these solutions to, to counter what is, what is the first step? Okay. Difficult one.

Well, if I was in an organization and I had a small team, but an exorbitant amount of logs coming in on a daily basis, logs that my team probably didn't have the expertise to monitor efficiently and call out incidences or know how to address them, what would be a main requirement there? Okay. As an example, I start with an example. So I would like to have that this MDR solution being, being managed. There you go. M is managed, has a proper set of sources to consume threat information from. So the question would be where are these questions?

Where, where are these that's coming from, how actual, how current are they and how often is this, this data updated? There you go. So starting from that, any, any, any other thoughts that you have when it comes to an MDR solution? We are all just making that up just right now, just to make sure, what would be the thinking before we get, so we are in this requirement phase, we're in the first block in understanding what, what the requirements are, what would be a a solution, what would be necessary for a solution that you want to implement right now.

Delivery model Are there Touch zero, touch, there you go. Yeah.

So, so really plays just as it is. So no configuration at all.

Yeah, good. Good point. So so there are lots of people. Yeah. Simple Guiding principle, right? So any other questions that you would like to ask?

The, the, the, the, the, the vendor, the provider of the service. Currently we're clear, close to the, to the actual solution, but there might be other aspects to look into. One Aspect for me, one aspect for me would be the meantime to remediation.

Right, right. Okay. And what would, what would be a good one? If you apply a metric? It depends on the yeah, actually on the assets.

So it's, it's hard to say, but some vendors are talking about, I don't know, they're communicating MTR times of a couple of minutes, but I don't know how, how they can, if that is a timeframe that they can really Yeah. Provide Would there be, would you make a difference between different types of threats where the meantime might vary and wouldn't, if so, what would be the, the decision point? What needs to be done quickly and what can wait for an hour, But how, how should you categorize that type of threats? Exactly. That's also a hard point.

But if that threat comes up and if you only have, I don't know, a couple of minutes to, to remediate that threat, I think it's in that timeframe you can't talk about, I I firstly I start to categorize that threat and then I remediate that threat because that timeframe is too short to dig deep into that categorize or, or yeah. Area.

So, okay. But that would be a a, how do you call it, zero hour issue, which you cannot assess beforehand because you don't know it, it comes up, you need to remediate it. Okay then no, no, no big choice. But these type of incidents, they are there, but there are only a, a fragment of the overall threat landscape.

Maybe just as a thought, maybe such a solution should integrate with your risk management to say, okay, I have, I want to apply my risk management because I know what is at stake in my organization and the threats that attack these assets, which are highly critical, important, mission critical, they should be handled more quickly. Maybe that's, that's a thought that we could, could also involve in integration. Sorry. Yeah.

But for that you need to have a proper business continuity management in place in your organization and you just have create and and business impact analysis for all or for the, at least for the major assets. And I think for, no, I would say most, but I think that that's an, an hard issue or, and, and, and and difficult thing to, to handle in most organizations, If you're familiar with our research, we address that holistically from a requirement standpoint, right? What are the technical requirements? Which more often than not, we think more on rather than the operational requirements.

The operational requirements are just as important to bring up in these early stages. And we have more or less also different, different perspectives on, at least I have d different perspective. I love this zero touch aspect, which is great, but if I have to choose what needs to be processed first, which needs to be handled first, I would like to apply a risk-based approach. Like Analyst usually like to do so, but this relies on having that risk-based approach and business continue planning and assessment and categorizations and criticality levels.

And all of this needs to be well-integrated. So there and there's a, there's a, okay, let leave it there. And I hand it over back to Technically in, we are now in the world where we say No, no, sorry, sorry, sorry. All good. So this should be also self, self-learning would be one of the characteristics it would potentially apply. So maybe like ease and a heuristic based recognition, let's say mechanism Yeah. Of the malware detection. And there's a lot of what you can think nowadays, which would link again, back to zero touch. 'cause it's safe learning. That's most probably zero touch.

Yeah. But you also have to have, and this is, I would respect you have to have an escalation, a human escalation, let's say path, Right? In the end, a couple of Requirements ilic now, but I want, don't want to be the only one And consider false positives. Yep. In this sort of self-learning approach to see, you know, how high are the false positives and how do you deal with them, right? It's space to be managed, but you know, false positives create interference with, Right?

And that should be part of that self, self-learning as well to make sure that, yeah, that, that these false positives go away over time by adding more signals to take into account when it comes to assessing these, these, these, these threats. Any other things? We are still close to the actual solution. We are what what we've heard is easy to configure, ideally not to configure, just plug and play. We've heard time to remediate. We have self-learning over time.

I've, I've asked the question around what are the sources, what are you actually using from, is this relevant? I don't want information from an ISP in APAC to be applied to me being a, a shop in Germany. Localized.

Yeah, right. Localization.

So, so we are getting to the more soft aspects as well of such a solution. Localized, where is it provided? How is it provided? You mentioned delivery model, is it a piece of software that you install on you on premises still? I'm glad we circled back to that. I got real self-conscious when nobody elaborated on that. Hmm. sla. True. Exactly. True. These are the type of SLA you've mentioned. Remediation time should be part of an of an S-L-A-S-L-A could cover availability, which of course everybody says 99.99 something.

But the question is how good is the actual measures and what liability is behind in case they don't meet the SLA, which is also an interesting question always when it comes to that. Isn't it also isolation or Yeah, isolation.

Isolating, infected. So the capability to isolate this one, Okay, this isolations, These isolations. So auto isolation, if there's something detected, then stop everything. Right? Right. Take the endpoint out of the network or something like that. Something like that. Or on the other hand exactly not doing that, but limiting the, the footprint of such a or or or the, the explosion. Yeah.

Right, right. Other, as you said, my isolation, I was thinking of tenancy. On the one hand, you, you want to consume threat data from others. On the other hand, you don't want them to mix up your intel with other intel. So that would be an aspect maybe of, of isolation. Exactly.

So we, you just need to make sure part of that process should be finding proper terms to say, okay, I know what I mean when I say isolation because I need both. Any other aspects that you would con want to consider?

Soft ones, hard ones, technical ones, Of course verification. It should be a verified solution against an authority. Right. Something like ISO server certification or something like more to NIST or something More to NIST or more to whatever is locally acceptable or adaptable.

Oh, and maybe adaptable because if you have an global organization or at least an original one, then you are anyhow bound to several national differential differences. Yeah, right. I think, and and, and again, I've mentioned I'm an I am guy, the information that you give them for doing this plug and play analysis might contain serious personal, personal identifiable information.

PII, that might be immediately a a the proper probable cause for, for for A-G-D-P-R breach or for whatever breach you are in the region where you are. So that would be also the compliance.

So it's, it's, it's a, it's a large, it's a large picture and once you draw these pic, these, these, these, this picture and you look at the individual dimensions of what you're looking into, I think that that is where this analysis phase really starts to get interesting. This is model comp flexibility. Yes. Yeah. Because CapEx driven or opex driven or a mixture of both or whatever, Right? Yeah. In the end price is also always an interesting, an interesting issue when it comes to providing the solution, providing 24 7 support, 24 7 support. There are more than one flavor to that.

Is there just one team somewhere that you wake up in the night to make sure that they answer that question? Or are they on site? Are they close to where you are because you are internationally distributed? That that is also an, an an interesting aspect. So really the, yeah, again, soft factors.

How, and it's SLAs again, how fast do they react in case something goes wrong from a technology PLA platform point of view? I have something weird.

Oh yes, please share because I'm an old telco guy. So I would always ask, let's say whether this solution can coexist with others so that you don't have a single vendor login. Absolutely. A and vendor lockin is an important aspect. So because you don't have to think other sponsors, I don't know, Microsoft C 65.

So, so once you are in that, to get out there is an issue. And the same is for cybersecurity platforms and the bigger the platform is, the more difficult it is to get outside.

So, so, so the, the variation between platform versus best of breed or even having what you said, which is an additional aspect to say, okay, yeah, I just want to make sure that I can switch between different solutions, either at runtime or as a replacement At runtime. 'cause resilience will tell you that you have to, Right? So I just repeat your resilience says you need to have more than one solution to make sure that if one fails or just deteriorates the other can step in final questions.

Otherwise, then we would move on. I'm always, all the time carrying around the clicker, which is not that intelligent. That's okay, You can be in charge of this one. So that would be the first group activity more or less. So just making sure that you, what they wanted to achieve with that is that you think broader and that you think not only of a tool but of a solution that, that you want to look at. And that maybe also segues over to that with, when it comes to the enterprise and the market analysis. We have three 30 minutes left so we I'll make it short.

Yeah, yeah, yeah. I mean this is also just as a summarize the activity and why it's important to really do your homework upfront. Understanding, you know, your organization, your capacity change management, cost structures, your business model, understanding everything upfront. Doing this homework could really mitigate a lot of issues down the road. And my affirmation, previous life, I used to talk to organizations all the time and I just, I would feel so bad for them 'cause they would, they would dive into these really cool tools, get, get money for these really cool tools.

And I'm just sitting here thinking, you don't have the capacity, man, I'm gonna talk to you in nine months 'cause you're not gonna have this implemented. It's not gonna have the return that you think it's going to have. 'cause you're not setting yourself up for success. You're not asking yourself, why are we doing this? Why are we implementing this? What's gonna be in, on the, the impact internally once we do, if we do. And then when you talk to vendors, I really liked what you said earlier, within your methodology, I mean, do not talk to vendors upfront.

Do not talk, turn internally, figure out what your goal is, both technical and operational. Talk to your teams, gauge where they're at, where you're at, where you want to be, right? And then still don't talk to vendors. Do more research. Figure out what the market is doing, go to conferences, talk to peers, call up Mathias, say, Hey, this is where I'm at. This is what I wanna achieve. I don't have the bandwidth to do this assessment. Can you come in, can you help me out? Can you talk to my guys? Can you figure out what's gonna set me up for success? Right?

Do your homework first so that you don't look like a fool later. 'cause then when you talk to defenders, you'll be driving the conversation. They won't be, and no one's saying they're doing this, but you wanna be in the driver's seat because you wanna get a solution that's gonna set you up for success. Your company, your customers, your team, right? So understand the why and the impact internally first, and then have conversations with these vendors.

One, one additional aspect at what we, what we don't say is, now you at this great event cyber revolution outside our vendors, we don't tell you don't go out, don't, don't go out there and talk to them. That's not what Oh yeah, don't do that. Yeah. That's not what we're saying. What we're saying is gather the information that they give you. That's great. But don't raise in, in the your current detailed problem and make them the only ones to reply. Make sure that you have a bigger picture that you get.

And this is the, the role of Analysts to say, okay, yes, really we want to make sure that you get the right solution. And we are happily cooperating with all these vendors outside and which is really great and having their innovation in place. This is not what we are talking about.

The, the question is when it comes to the tooth choice process that we're just looking at how do we get to the proper solution and then needing, you need to understand what the individual vendors provide. You have your own knowledge, of course you can talk to them, but don't say, how would you solve my issue? Or even you can, you can even ask that question. But then to say, let's, let's take a step back. Is this the one solution that I want to have? And maybe I need internal support. Maybe I do some online research.

If this is fine and enough and maybe I need some support from peers, talk to other customers or, or organizations who have already done that, leave the Analysts and the consultants out of the game, which is fine. Just make sure that you have a broad view on the, on, on the, on, on the, on the topic. So it's not, not talking. Yeah. To the vendors. It's getting the broader view of it.

That's, that's what we are advocating. Yeah. Don't ask them to solve your problems. Use them for research and understanding what's out there. And then once you know how you can control the conversation, once you know what you need, then engage in a more deep level. And this helps you then in communicating with the vendors, because you're reaching out to them afterwards and, and, and ideally you're reaching out to the right ones and They can help you better. Right. You can shorten that sales cycle as well.

They can understand whether or not they need to connect you with a solutions provider and shorten that conversation as well. Okay. Sorry. I'm sorry. Your show again. Here we go again. Second part, this will work better.

I'm not, I'm, I'm sure we've talked about solutions, we've talked about SLAs. When you are in the buyer situation, if you are the ones who are executing the such and such a tools choice, you want to understand also your, the provider of the service better. So this is the, yeah, the vendor perspective as an organization and sending these inquiries to, to vendors. This is something that we do of course as Analysts, because we do these, these research documents. So we reach out to them and say, how are you, how are you funded? And all of this kind of stuff.

And maybe we can get, get to, get to a few interesting questions that you are typically asking. Not necessarily us, we want to learn as well. So what would be aspects that you were, that, that were interesting to you as an organization when you are choosing the right vendor for yourself and this, these questions can be so varying. We see that with our customers as well.

Some, I don't want to take away too much. You've mentioned, you, you, you're a telco guy, so telco's huge. Does this have influence on the type of organizations that you want to work with as vendors? Or do you have more choice? How does this change it really, that's, that's really out of interest now. Right now though. Now I'm learning The button. Then you need to know if you are coming from telco then many of the cybersecurity thoughts have always been thought implicitly. Let's say implicitly already know this secret, let's say information secret is anyhow the the top priority.

So that's why. But there are other principles which vary from it. Yeah. So much of this, let's say quality and resilience thinking is deeply embedded into the components already. So any product which has been used in an telco environment has in, has in let's say for instance, in reliability tick, which is much higher than traditional it. So this gives already some impact. So normally in it you talk about 99.99, no telco, your toque 99.999 at least. So this is already something. The second one was this, let's say flexibility or this coexistent of different suppliers. Yeah.

This is a typical Interoperability in this. Yeah, yeah. Interoperability is a typical thinking, which comes from ICT.

And, and of course with that approach, you may have a preference for companies who have been providing already solutions to techs. Yeah. So IIII could, I could write books about that. Yeah. So when you try, for instance, to build an higher level, you would call it application level from IT perspective, you would call it an application software, which is what, which is providing, for instance, core network functions with regard to author, authentic user authentication, authorization, et cetera. If you take their solutions from the IT market, they're not prepared for this 99.99.

99.999, huh. And if you just take them, you have a lot of difficulties and problems in mutual understanding what you talk about. Because the one side, the side is implicitly assuming that you understand and the IT side is not aware of that. But this is in, we can, we could give workshops on that because this would a little bit explain also what, where the different thinkings at the moment even Yeah.

Locally, regionally, even globally collide with you, with each other. And we are even principles fight desperately against each other. That's the reason why we had on the, on the first slide or one, one of the first slides to say, okay, where are they coming from? What are the industries they are typically serving? Because that's, that has an influence also on the, on the, on the way how they Provide service.

So I, I know, I know everything about five G, giving your very simple example, you build an OT network in VR or an IT network, which is operating for OT in an industrial environment, if you ask for a solution, everything is in, if you ask for an IT solutions and you have to bring this, the cybersecurity means you have to bring the key management, you have to bring everything which is already built in. On the other side, you see how different that can be, Or Giving you an example out of the health industry.

So securing health communication between the practices of doctors and let's say the central database or central data database of the insurance health insurances. Huh. So a telco guy was only surprised how it could happen that you have been mixing up your VPN route certificates and then you could not reach 88,000 practices for half a year and you had to do everything by hand. A telco guy who says, are you going nuts? Hmm.

You see, and this is exactly different thinking in this aspect. So you asked, I gave a very comprehensive answer. I've only wanted to give a comment. It's much better to be in the buyer situations than in the seller situation. That's true.

But, but just have a simple question of, at least for those who are in the buyer situation, and even the vendors are typically sometimes in the buyer situation as well. If you have a, if you think you have found the right solution and it's really a good match, but it's a startup, does that influence the decision? Just yes and no. Yes. Have a yes. Would it be different?

Yes, sure. One of the Porwal References. Yeah. Right. So you're missing the references. So on the paper it looks good. Maybe even the poc it looked good, but it's a startup. Do you know there will be there in two years or the, if there's a technology buyout or whatever. So that would, would influence your, is there somebody who would not care and say, okay, I'll take them afterwards.

If if, if they go from the market, I buy them, I would care. You would care. So no other opinion in the room. Okay. There's, You know, there isn't, this is perception. If the solution is outstanding, then you would try to safeguard then you know, it's outstanding. But it's a startup. So you do know the risk precautions. Maybe you even take a share or whatever. If you are a big, if you are a bigger enterprise and you can afford it, yeah, take a share.

Or you, you try to, or you made them that they give you, let's say more or they safeguard the path of transition already the ownership changes or whatever. So maybe even esco, no idea. Something like that. I used to be in a buyer situation. It was lovely. Yeah. But exactly in that situation, that is also where this, this, this workshop aims at.

Of course, you can turn the perspective around in, in, in the back of your mind and say, okay, what do I need to do to be good in that? So that, that's, that's a different game.

But, but this is how we used to do it and how we recommend that you just take away that methodology. As I said, you get the slide deck, you get all the notes. Maybe we can give you these questionnaires, but they are not surprising. These are Excel sheets with questions and ratings and ratings and that's it. If we look at this list of, of the areas that I've mentioned here, company details, market details, what would, are there some aspects that you would like to highlight that are important for your organization that you would stress immediately?

Maybe, maybe. So, sorry, it's great that you contributed, but maybe somebody else just looking around, otherwise I give him the microphone.

No, But I would, I would like to expand on the point that you made being the buyer versus the seller. I mean, asking these questions up front can help you out in the negotiation stage as well. So for instance, if you wanna take on the, your larger organization with the money, and you wanna take on the risk of, okay, if this org, if this startup fails, know from a business standpoint, are we prepared to take it over?

I mean, I've seen that multiple times, but having that understanding upfront prepares you for these conversations down the road, it shortens the sales cycle, which is very important. It's not a fun process. Okay. So kind of the reason why I'm here as the digital product manager, we've been talking about ways that you can do this homework upfront and the ways that cupping or coals, cupping or coal offers you to enable you through this process.

We've talked about our advisory services tool choice, our research, last year we came, or this year we came out with a new tool on our website to enable you to do a lot of this research on a high level, right? So you're asking the right questions and you're guided in the right area. We mentioned earlier, you know, not talking to vendors too early. That's only to say that you want to know what you're asking them. They want to help you, right? They want you to be successful at the end of the day. But you need to be able to articulate what success means for you.

And no matter where you're at on your journey, whether you're a very robust, secure organization that wants to modernize or scale or what have you, you know, projects are always new or new projects are always a big test to undertake. So where do you find this information?

I mean, we talked about security companies, companies popping up left and right, you know, with that becomes more information, you know, can't really just Google, you know, PAM solutions and hope that the appropriate one comes up for you. You might not want to read a 150 page lc or have that time to weeded through it. So how do you go out and find information in a way that helps you build your business case with Casey Open Select. You can go in and ask those questions, figure out those questions, you know, what are the technical requirements that I need for this project?

What are the operational requirements? How do I put those two together? How do I articulate that to the business? What's the market like? Where's it headed?

Is it, what appropriate questions are there out there to ask vendors? Giving you a starting point, right? And then what vendors are out there? I've talked a couple times about, you know, not just going to an lc and picking the highest ranking vendor. That doesn't mean it's the, the vendor that's right for you, the solution that's right for you, right? So understand where you're at today and where you wanna be tomorrow and that'll help you out through the selection process.

And to enable you, we offer this free service to discover more access to the latest content out there, all produced by our Analysts, backed by a myriad pieces of our content. So not just the leadership compass, the buyer's guide, the market guide, understanding where this particular area is and where it's going in the future. So it could grow with you and then help you evaluate on a high level.

Again, it's very hard to translate all of these needs into a business case. You know, how are you going to tie your project to your business goals at the end of the day? That'll enable you to get the funding that you need, the resources that you need. And I think I'm going over time, but if you have any more questions about KC Open Select or how do you use the tool as essentially an area where you can find this information, you can select your criteria, your features, filter them out, and it'll populate a list for you based on those particular requirements.

You can share this content, you can interact with this content, you can reach out further for more questions, but it's just one way to enable you to build this foundation. Okay. And just to mention it again, one could say, okay, now we've come to that part in the workshop and now they're promoting a solution that they own. Yes. But it's free. Just use it. It's free.

That's, that's the good point about it. You can use it and just use it for creating a short list, creating something that helps you in not short circuiting things, but to help you to answer your questions based on that too. That's the reason why I, we wanted to highlight that here. So when it comes to the final 10 minutes, I want to wrap things up. I want to give you a chance for feedback around the whole workshop because this was a test. But nevertheless, we want to also make sure that you know where to get more information and whom to reach out to, not to sell anything.

We are happy to sell things, but this is not what this workshop is about. We want to make sure that this methodology is well accepted and and used. So why are we doing that? Six good reasons. And I've put them to the left and I think to the right, it's just the process.

Again, this is what we've seen before. So this is just illustration. Ignore the right part. Six good reasons is, first of all, we do this because we want to ensure functional adequacy solve your issue. So your problem for today and for the next 10 years, secure commercial viability. Make sure that it fits into your spending situation, that it achieves what you want to, a price that you want to pay. Make sure that it fits well into your organization, into your processes and what you want to achieve. That is the strategic part. That is maybe the simpl simplicity part. Sorry for that.

For the simplicity part that has been mentioned, how does it fit into your organization, into what you want to achieve? You want, we want to make sure that it supports and enhances your cybersecurity processes with, this is a cybersecurity conference and it goes beyond that. So a solution that you choose out of the possible choices that you have should make your overall cybersecurity situation better and substantially better. All of this leads to a management decision. Usually the project leads don't spend millions on a solution and a project they don't, but they prepare this information.

So we want to enable those who are in the situation to preparing the situa, this, this, this decision making process to provide the right information in the right format to the right people. That's what we are aiming at. So facilitate informed management decisions. And this is sometimes difficult. Who has ever written a management presentation that has to have everything on one page and seven minutes or this typical elevator pitch and then lots of money is spent on these very condensed information.

This is not an easy task, but the information that you gather throughout this process can help you in achieving that. And that's what we're aiming at. And I think the sixth one is the most important one. After having stated all of this, what happens if somebody says, Hey, you made that decision two years ago.

Look, look what has happened. How could you do that? Why did you do that? This is a documented process. This has agreement by all of those who contributed if they're still with the company. And this is something that you can use for justification to say, okay, if we would have done it that way, it would have worked, it would've been better, it would've been more efficient. We would be live nine months ago. So this is a bit of cover your back, but it helps. It's always also important.

I think that is, that is important part of that as well, to having a well-documented audit trail of what you did. Summary, I'll get to the first point at the end. Last minute.

Questions, concerns or clarifications? Contradictions against the process. Maybe people don't like questionnaires. I don't like them either.

I, I produce them. So first of all, starting at the below point, these QR codes lead you to research free research. So the leadership purpose is, they are not free, but you can apply for a free account for four weeks, six weeks, I don't know, four weeks. Four Weeks. Four weeks. So you have full access to that. So if you go there. So still nothing to sell the video. Phillip and I had a podcast around the five most common problems when choosing a new tool. And this is even a bit fun. And online open select of course is is also there.

So these QR codes lead you directly there and the links should work in the PDF version of the presentation that you get in the app. Anyway, are there any last minute questions from your side regarding today's workshop? I'll take this as a no, If you do have questions, good point. Probably most around Casey Open Select. I will be at our booth later.

Again, it's a free service. It's just to enable you right, to get you kickstarted and to understand what's out there. It's foundational stuff. It's not supposed to be comprehensive, it's not supposed to be groundbreaking. Please do not base all of your buying decisions off of it. But it gives you a jumping off point, right? An understanding of what's out there. It's a great way to discover vendors, what they have to offer, how they pair, how the fit within your particular requirements.

And again, it'll give you an idea of what questions to ask, give you an idea to internally and externally. It'll lead to more research, more ways to discover. But it's something good to start with because there's so much information out there. It's hard to weed through it. KC Open Select. You don't have to be a Right, right, right, right.

You, it's free, but you do have to register. Okay.

Sorry, KC Open Select is free to use, but you have to register. But you don't have to be a subscriber.

No, no, no, no. Let's Make that clear Free. We've mentioned free, Free tool. We just get your email Exactly for some definitions of free. Yeah. Okay. Then go up to the last minute questions, concerns, and clarifications. We've mentioned that of nobody left the room screaming. That is good. Thanks. So was this useful? Just something that you can take away home and say, okay, let's use this for the process that that we do. That was my aim. And if you say, okay, that was good that we do anyway and that is not important to me, that's fine for me as well. But was this useful?

Take this as a yes. That's one. I skipped this the other question because nobody dared to say something like that. Could it have prevented some previous challenges?

Maybe yes, maybe no. But the proper process always helps. Five final thoughts. Christie mentioned that already. Feedback is welcome in the app. Keep in touch with us. Write mails. We do answer promised this is and I, I, I'm not a sales guy. You're not a sales guy. You're digital. Yeah. Services. I'm an Analyst special advisor. So we are not selling anything unless you ask us for it. So just reach out to us. We plan to have this workshop together with Shikha, because then that's the reason why there is a in the third address. But you will reply as well. So just keep in touch with us.

And most important, if you are in the room here right now, if you, and, and unfortunately the other person had to leave because of the phone, but if you think that was interesting to you, A and B, you think collaborating in such a group of people, just networking without us Yes. Is helpful. Networking with the vendors on the level that we just described, this is so helpful and so important in getting in touch. So across industries, share your experiences. Even the ones that you did not want to share with us, because there is a camera and there's a microphone, which I fully understand.

Just share this with a coffee later or tomorrow or on Thursday. Share best practices, help each other. This is something that we try to do and we try to gather these best practices as Analysts and advisors, but if you do it on a peer-to-peer basis on a networking basis, this is so important. So ideally, share your contact information with the group of you, the result after the workshop, and stay in touch with if you think this is helpful and if you can ex exchange experiences. And if it's not that group, maybe it's that group in that building. That's it from my side.

I think we're quite on time. Yeah. One minute left. Final thoughts?

3, 2, 1. Yeah. Thank you very Much. Appreciate all Thank You. And enjoy your lunch. Yeah.