Throwing Money at Security Won’t Necessarily Keep Your Enterprise Secure
Wait! Read this blog before you spend any money on security.
Do you really understand the true risk to your sensitive data and critical systems? If not, it’s time for you to do a little soul searching and find the answers to some really important questions, such as “What really matters to my organization from a security perspective?” And, “Where are we failing to secure our critical assets?” Given the inability of most organizations to apply adequate time and/or budget to simultaneously tackle every potential security issue, you really need to answer these questions so that you can identify and address your truly critical concerns first. I’ve seen too many organizations run around in circles trying to secure the next items on their radar – an approach that more often than not turns out poorly.
Here’s what I recommend: use risk to determine the priority of your security initiatives. Take a systematic and effective approach to your security program by first understanding the business drivers in each of the business units. Don’t know where to start? Ask yourself, “How does this unit make money?” Although a bit simplistic, this is a great place to start. From here you should be able to identify mission-critical assets – those are the assets required by the critical systems you just identified.
Once you have identified critical systems and assets, you now know what to protect, but from whom? And what? Categorize and determine the capabilities of the most likely threats you have to these critical systems and assets. Then, determine the vulnerabilities you have in your existing security controls and identify the effort required to exploit these vulnerabilities. Then, start tackling the risks that could most significantly impact your enterprise. Sound like a lot? In all truthfulness, a risk-based approach – especially if legal and regulatory requirements are a concern- is the most efficient way to gain accurate visibility into your current state of compliance and identify what steps are required to mitigate gaps. And, if you need help, check out our new Information Security Risk Assessment service.
Once you’re headed down this path, it is natural to wonder if you have too much or too little security and if you’ll know either way. And that’s great – at least you are considering both ends and that means balance. It is important to understand that critical systems and sensitive data are not the only assets of your company – so is money and time. There is such a thing as too much security. The spending of resources on security improvements should be limited by the value their implementation brings to the protection of other assets (capped by asset value).
You should put enough effort into security to reduce the real, validated risk to an acceptable amount. When security efforts are a hindrance to your business processes beyond the value of what is being protected, your company has too much security in place.
I’ve just thrown a lot at you so let me give you a good rule of thumb. When you start worrying more about how much you are spending on security than you are about your assets being compromised, then you are spending too much. If you are still worried about the protection of your assets over security spending, you have put in too little. Re-evaluate, re-address and re-implement.
Have you been taking the right approach? Can you demonstrate that to management?