“Where should you spend your security money?” is the literal $64,000 question. With budgets scarce and security threats plentiful, you must invest your money wisely. That is, if you’re going to be smart about addressing the things that matter and have a successful career in this industry.
Preparation vs. Response
An ongoing debate persists as to whether security dollars should be spent on preparing for security attacks or on response efforts. It’s something important to consider, but there’s no simple solution. I recommend focusing on prevention to the greatest extent possible, at least until you’ve mastered the basics. Find and fix the 20% of the security flaws that are creating 80% of your risks. This is a very predictable group of issues, which usually includes the following:
- Expedient, click-happy users who are undertrained and can make security decisions on behalf of IT in their day-to-day job duties.
- Missing software updates for operating systems and third-party applications that are often targeted in phishing and related attacks.
- Unencrypted phones and laptops that are exposing sensitive information.
- Weak or missing endpoint security (typically anti-malware) and network perimeter (typically web content filtering) controls that don’t catch and stop what they should.
- Improperly configured guest (and similar) wireless networks that permit access into production environments.
- Weak authentication, including local and domain passwords, and a lack of multifactor authentication on critical systems.
- Web applications with flaws that facilitate system manipulation or back-end database access.
- Open network shares that provide too much access to those without a business need.
I’ve yet to come across an organization that has mastered all these preventative aspects of security. But once you do, you can then shift your focus towards response. Incident response is not to be taken lightly. It requires good information which requires great network visibility — from the local network to mobile and out to the cloud. Until you have good visibility, you won’t be able to detect when things go sideways, much less respond appropriately.
Spend on Training Over New Tech
Budgetary considerations should include ongoing training for technical staff. It’s rare to come across IT or security professionals who have the money to go to security conferences or take courses to improve their technical knowledge and soft skills. Therefore, you should budget for a security committee, including bringing in outside experts to provide consultative advice.
Simply throwing good money at bad ideas is a terrible approach to security. What I often see is organizations spending tens, sometimes hundreds of thousands of dollars, on the latest and greatest technologies. The box is checked, yet, six months to a year later, their security program is no better than it was. One rule of thumb to remember is that any new technologies you bring in will require someone’s time. Who is that going to be? What will that cost? You might find that just stepping back and looking at how you can use the systems and controls you already have in place is the best option.
You don’t necessarily need to add additional staff to improve your security program in any of these areas. Simply bringing in an outside consultant for initial or ongoing security assessments, or even virtual CISO work, as needs arise, may be the best use of your security dollars. The important thing is that you’re doing something to move your security efforts in a positive direction.
Making Good Choices
In the end, you must find a balance. I believe that prevention is the key. Why not fix the things that you know can — and will — be exploited? In the same way that diet has the greatest impact on our health, making good choices before things go awry is always a good approach. What makes the most sense for your business? What’s going to bring you the greatest value and return on your money? Only you will know, and it will likely come in the form of a detailed information risk assessment. What’s important for you won’t be identical to what’s important for other businesses, even if they’re in the same industry. So, be careful on “me too” approaches to security.
Politics and culture will define how your security program takes shape, so it’s important to have leadership on your side. Their decisions on whether to spend money on security, along with how much and how effectively, will determine your outcomes. It’s the law of sowing and reaping — whatever it is that you sow, or don’t sow, will shape how many security incidents occur and how they impact your business. Ultimately, you must figure out what your lawyer is willing to defend, as that’s where things tend to end up.