April 30, 2015

April 10, 2015

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

How much should we spend on security?

April 20, 2011

 

A former boss used to ask, "when are we done?" I don't know why but I've seen this question really pop in the last couple days. Perhaps the VZ report reminds folks we should be doing better (not necessarily more, just better). The troubling part is this question is often accompanied with a bit of defeatism. The good news is I think we understand why we're asking the question. There's enough evidence floating around to demonstrate it's not if a loss will occur, but when and how bad.

What I don't understand is why the question is so hard to answer. Perhaps it's because there is no one answer, it's a process that should be repeated at least annually. In my view the process has two objectives:

  • Are we operating at an acceptable risk?

  • Are we as efficient as possible?

  • Let's breakdown some outputs:

Are we operating at an acceptable risk?

  • Identified and prioritized assets

  • Prioritized risks across them

  • Approved mitigation efforts or asset owner acceptance of risk

  • Defined security performance metrics, with asset owners accountable (and jointly responsible) for defining acceptable targets

Are we as efficient as possible?

  • Defined IT and security services

  • Capacity aligned with demand

  • Identified core competencies across team vs. outsource

  • Identified process improvement areas e.g. automation

  • Defined SLAs for security services

  • Defined %'s of business as usual vs. improvements/projects

You don't have to do everything at once but you need a committed plan. Here's the kicker. The above are not hard to execute. I’ve worked with teams who pulled it off. You can pay consultants, train, and/or hire staff. The hard part is making the above a priority for the business. Does the CEO want to answer the question or just spend the minimum to be compliant? I can accept either answer, it’s no answer that’s unacceptable. That's what I think leads to defeatism.

Perhaps the above would make an interesting series of posts. I don't have all the answers but I know how to find them. Let me know if there's interest.

Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags