Running a business successfully means focusing on what you do well, and getting others to do the rest. Good lawyers don’t manufacture their own office chairs or construct their office buildings. You shouldn’t spend your time on IT, either. You will end up with cheaper, more reliable, and ultimately more secure technology if someone else builds and runs it.
Just because you've paid someone to do something for you doesn't mean that they'll do a good job. In tech especially, there’s a huge difference in quality between the good stuff and the crap. Luckily, the good stuff is often cheaper than the crap. The problem is telling the difference between them.
Sometimes people don’t like the good stuff because it’s not what they’re used to. Improvement is change, and the biggest product improvements usually involve a change to the way people use them. On top of that, security is a cat-and-mouse game: jerks are constantly figuring out ways of exploiting weaknesses in the way you do things, and everybody else is constantly figuring out ways to fix those weaknesses. Staying still means that the jerks will catch up and nail you. If a certain kind of door can be unlocked with a roll of camera film and your local thugs know it, you don’t want your warehouse to be the only one in town with bad doors. Online solutions are the same, except more so.
With tech, there are some easy indicators of quality.
Indications of quality tech
Less is better. Usually the best tech solutions are just websites. You pay a monthly or yearly fee, you log in, and you do all your work on the website. Installing something on your computer is rarely the best path anymore. There are a couple exceptions for software that thinks heavy thoughts: big data crunching, graphic design, writing code, and video editing still work better with software you install.
Simple is better. If a website lets you log in with your Google, Microsoft, or Facebook account, that’s a good sign. If it all works together and doesn’t require you to go to other sites with different passwords, that’s a good sign. If it needs weird changes to your computer’s settings like firewall, antivirus, or to ignore warnings and errors, that’s a bad sign.
Awareness is better. Some services seem to track your activity. While this can seem creepy, know that everyone does it. What’s important is whether they do it for your benefit or theirs. If you can look at past activity or get notified about risky actions, that’s a good sign that the product is designed with your security in mind. In general, more security-related choices indicate good security in the parts of the service you can’t see.
Automatic is better. In tech, the most secure and reliable products are usually the ones that don’t depend on people. Services that easily integrate to others are often more secure. You can also usually tell if integrations depend on people; they say things like, “transfers may take a week.” If it was automatic, it would take maybe a day.
See here for several examples of tech done right. This is not an exhaustive list.
Most security certifications mean nothing. See here to learn more.
What if I’m big?
These same principles also scale up to the biggest organizations. Google, Amazon, and Microsoft are better at running servers and segmenting networks than anyone else in the world. Their sticker price may sometimes be higher, but after including support costs, outages, and loss of competitive advantage, they are always cheaper and easier than doing it yourself. When designing a tech solution, start with what is uniquely you, your unfair advantage, and do just that.
What if I’m in tech?
The same principles apply.
Do you sell access to a node.js app? Then host it in a webapp hosting service connected to a managed database. Heck, maybe in a future version you could even refactor it to run statically from CDNs and rejigger transactions to use auto-scaling microservices. Even easier, and half the cost in AWS bills.
Do you run a federal agency that needs to provide access to all legal records? Just throw them all into an S3 bucket, create some indices for searching, build some search and submission APIs, then a CDNed static UI to pull the whole thing together. It would cost 100k to build, and maybe 10k per year to run. You’d never have security breaches, never have outages, never worry about performance, and get the best reliability money can buy. Best of all, you could replace your 50-person IT team with a guy in his jammies watching logs, doing minor code updates, and periodically updating your front page with Fun Facts! About US Caselaw. Or heck, API that too.