Is It True That “You Can’t Have Too Much Security”? Not Exactly
Where do we draw the line between "We haven't done enough" and "We're doing too much"?
A phrase I often hear is, “There’s no such thing as ‘too much security,'” and it’s easy to see where that sentiment comes from. The underlying assumption is correct—given enough resources and motivation, anything can eventually be breached, whether it’s a computer, a building, or a safe. But does that mean there’s no such thing as too much security?
One thing that security managers often forget is that even the potential attacker is usually driven by economic motives—they also consider their bottom line, or in other words, ROI.
Imagine you have a valuable item, like a piece of jewelry worth $50,000. It makes sense to buy a good safe for $1,000, or maybe even $2,000. But would you spend $20,000? What about $50,000?
There are many factors to consider when deciding how much to invest in protecting that piece of jewelry, but it’s clear that once the safe costs $50,001 or more, it’s no longer a worthwhile investment.
One possible justification for such a purchase might be the sentimental value of the jewelry. However, if the item has additional value, then we made a mistake in the initial valuation.
Bringing this back to the realm of information security—how do we calculate the value of the organization’s assets that we’re protecting? Beyond the immediate financial value, we need to consider potential revenue loss, fines, or legal action that may result if the organization is breached. Just like in the jewelry example, there are also non-quantitative values (such as the organization’s reputation) that we should factor into the overall calculation.
There are numerous methods and structured processes that every CISO should undertake to assess the value of organizational assets. This includes mapping critical assets (CBA), critical processes (CBP), and examining various impacts on the organization (BIA).
The key takeaway is that before we start allocating budgets, piling on security products, writing policies, and implementing additional measures that might burden the organization, we need to understand a few things—chief among them, “How much are we willing to pay to avoid a breach?”
First days as a CISO
We all know that your role is critical to the...
Read MoreIf You Fail to Plan You Plan to Fail
The CISO is not just a technical expert but, above...
Read MoreDefense in Depth The Technological Layer
To protect against cyber threats, organizations implement a broad strategy...
Read MoreCyber Security Architect Vs. CISO
Two key positions in building an organization's information security strategy...
Read More