Start with the end in mind – let us replace security GAP analysis

A lot of consultants by reflex suggest the customer to start with a GAP analysis. This in order to understand the customer for a plan to be made. However, we need to ask what purpose a GAP analysis really serves? It is assumed that as a result of a GAP analysis shows the best solution. We want to challenge this!

Before we can go further we have to agree on some basics. Let us state that the customer wants to achieve a goal and needs assistance of a consultant – in our case become more secure. This means that the customer wants to know which FUTURE courses of actions are available and which one of those she should chose. Having said this, we can draw parallels to coaching. Our goal should be to ask questions about the future to know what to do. A GAP analysis, on the other hand, asks “what are the current shortcomings”? In other words, it asks what has been we done in the past to end up in the current situation. To draw again a parallel to coaching – it mainly serves the consultant own need to understand the problem while it anchors the customer into the past. The customer on the other hand is frequently aware of the problem. Why else would he have contacted the consultant to start with? She wants to know what BEST to do, how long it takes and what the price will be.

This means that as a first step the consultant should do is to ask more to understand the challenge and the customer’s need to suggest the best solution. In other words, the consultant needs enough details to bring in its expertise about solutions for the challenge at hand. The consultant should already from the very start create results that last and contribute to the solution. Unfortunately, there is no generic answer of what constitutes such a result.

However, we can provide some examples (see Table below) for specific areas and can from that derive the following potential candidates:

  • Scope of the endeavor
  • Needs, requirements and/or risks
  • Engagement/project plan

Obviously these examples show that there are cases where a GAP analysis makes sense and it needs to be stated that a GAP analysis is a useful tool. The objection is that it is not a good starting point! However, it makes perfect sense for (quality) assurance and accountability. A far better way to get start is to do something that helps for a better solution.

This means that if a customer engages with a consultant she should ask for results aimed at the solution and not more detailed descriptions of the problem.