Is There Such a Thing as Too Much Cyber security? TL;DR: Yes
Where do we draw the line between "We haven't done enough" and "We're doing too much"?
A phrase I often hear is, “There’s no such thing as too much security”—but is that actually true? The underlying assumption has merit: given enough time, resources, and motivation, anything can eventually be breached. But if that’s the case, then how can we claim there’s such a thing as “too much cybersecurity”?
Attackers Have a Budget Too
One thing that security managers often overlook is that even potential attackers are driven by economic motives. Attackers evaluate their targets much like businesses do—based on cost versus reward. In simple terms, attackers also consider their Return on Investment (ROI).
This economic perspective is critical. A hacker or criminal organization will weigh the potential gain from a breach against the effort, resources, and risk required to succeed. If the “cost” of breaching a system outweighs the benefits, they’re more likely to look for a weaker, more profitable target.
The Jewelry Analogy: A Case for Proportional Security
Imagine you own a piece of jewelry worth $50,000. It’s logical to invest in a high-quality safe—perhaps one that costs $1,000 or even $2,000. But would you spend $20,000 to protect it? What about $50,000 or more?
There’s a clear tipping point where the cost of protection exceeds the value of the asset, making the investment irrational.
Now, someone might argue that the jewelry has sentimental value that justifies a higher investment. But if that’s the case, we’ve misjudged the asset’s true value—and the original calculation should have included this emotional or reputational component from the start.
Applying This to Cybersecurity
In the realm of information security, the same principle applies. Before implementing expensive tools or services, we must ask:
What exactly are we protecting, and what is it worth?
Calculating the value of an organization’s assets requires a holistic approach:
Immediate financial value of the data or systems
Potential revenue loss in case of downtime or breach
Regulatory fines or legal action
Reputational damage and customer trust erosion
All these aspects contribute to the true value of the asset—and should inform the level of security investment.
Valuation Techniques Every CISO Should Use
Every CISO must undertake a structured process to assess and prioritize assets. This includes:
CBA (Critical Business Assets): Mapping what the organization can’t function without
CBP (Critical Business Processes): Understanding workflows that keep the organization running
BIA (Business Impact Analysis): Evaluating the consequences of disruption or compromise
These exercises are not just checkboxes—they inform smarter decision-making about where to focus security resources.
Security Measures: Balance, Not Bloat
The goal is not to add more security tools or write more policies for the sake of it. It’s about efficiency, balance, and business alignment.
Implementing layers of controls without understanding their necessity can:
Waste resources
Slow down operations
Create friction for employees and customers
Give a false sense of security
Instead, ask:
“How much are we willing to pay to avoid a breach?”
And—just as important—”Is that cost justified by the value of what we’re protecting?”
Wrap-Up: The Principle of Reasonable Security
Security is essential—but it must also be strategic and proportionate. There is such a thing as “too much cybersecurity” if the costs—whether financial, operational, or cultural—exceed the benefits.
Instead of piling on defenses blindly, CISOs and decision-makers should focus on asset valuation, impact analysis, and strategic prioritization. Effective cybersecurity isn’t about doing everything—it’s about doing the right things based on risk, context, and value.
