Corporate Security

How Much Security Is Enough?

When it comes to cyber, information, IT (or whatever you choose to prefix it with) security, where do you draw a compliant and cost-effective line?

photoOn one hand there’s regulation, legislation and ‘best practice’ (of myriad flavours), on the other hand there’s your security status quo. In the middle? An angst driven consultant-go-round of ‘How much is enough?’ After all…

What is ‘adequate’ security?

That kind of question strikes fear into the heart of most security professionals and (as security budgets get more breach related attention), business purse string holders. Some firms have the means to implement and maintain the very best controls money can buy, others are constantly looking at ways to minimise security spend, but (as I was quoted as saying in this SC Magazine article on Sony’s vastly increased security budget) it’s not even all about the cash:

“[it’s] typical of the universal security boom/bust cycle. Fear following an incident boosts attention and spend, but work kicked off frequently founders later. As noise abates and belts are tightened the security team becomes the poor relation again. Money goes to projects with an easier to prove ROI, leaving immature processes and benefits unrealised…

…the question isn’t really whether $500 million can fix the problems, it’s whether security foundations, left holey by previous bust cycles, will be identified and shored up. And whether new [controls] will be given time to bed in and yield results”

So how does one target spend to give great security value for money and foster required support from senior stakeholders to buy time and budget to achieve advertised results? Three words:


In the next few weeks I’m going to write a series of articles looking at the part these things play in deciding a rational security strategy. Starting at the very beginning…

What are you worried about?

A completely straightforward look at what should be keeping you up at night. A directly comparable task to identifying any commercial or strategic priority for the business:

  • Losing data, or getting it stolen – be that personal data, financial reporting data, card data, passwords, intellectual property, insider share info, or other stuff not everyone should know about.
  • Data getting seen by the wrong people – whether it’s staff, customers or other folk outside the business
  • Data getting messed about with – potentially causing inaccuracies or outages in systems that use that data.
  • Online or in-house systems going down


  • Any third parties you deal with letting any of the above happen.

Screen Shot 2015-04-17 at 21.38.56That (in a nutshell) covers causes of ALL the pain in EVERY recent newsworthy breach:

JP Morgan





ALL of them hit the news, triggered investigations, nailed share prices, damaged brands, knocked future sales, impacted mergers and acquisitions, instigated law suits and ended careers of board members, because one or more of the previously listed things happened.

Don’t believe me? Why not click on one of the named breaches, check out this summary of the 2015 Verizon Data Breach and Incident Report, or click on the image (it takes you to a fantastic interactive graph created by Data Is Beautiful), to see what the experts said went wrong.

It may look like I’m matching my sources to my argument. References 2 and 3 are specifically about data related incidents. But there’s a reason why the DBIR is one of the most anticipated annual trade publications and it’s not called the Verizon ‘Who Suffered A DDoS Attack’ report. Service disruption, unless it’s aimed at medical devices, transport systems and other critical infrastructure, just doesn’t have the same far reaching implications.

Did you know that cyber criminals often use DDoS attacks to distract companies from their real aim…getting inside the network to steal data? That fact alone should speak volumes.

But, how do you use that knowledge to find, assess and scale risks linked to gaps in processes, awareness and tech? More to the point, how do you focus effort on things most likely to cause you a regulatory, legal and/or newsworthy breach? After all, who can afford to robustly assess every piece of perimeter, network, midrange, endpoint and mobile kit, all software configuration, all code you control, all related processes, holes in security knowledge and the same again for all of your partners and suppliers?

First: Find and follow your DATA

It’s so, so easy to get thrown off course with this. Data gathered and created has grown vastly and unpredictably in the last decade. As has the scale and variety of networks hosting it. Things probably got out of hand before anyone even thought of the phrases Information Asset Inventory, Big Data and Cloud Storage. cats3

I’m willing to bet your auditors have tried to pin the data taming task on various teams in the last few years (Data Protection, Security and IT are the usual targets), but I’m equally willing to wager that work never got the executive backing it needed. And, as a result, it probably lacked time, headcount and/or budget to yield demanded results.

Not just that, there are a vast number of security ‘priorities’ vying for board attention just now (more or less prompted by vendor or media hype). Threat Intelligence, Vulnerability Scanning, Breach Insurance, APTs, the IoT and Cyber, Cyber, Cyber. All of those (excluding the Cyber-FUD) have a place in your business risk universe, either as controls or things to assess.

BUT…it really is…in almost every case…all about the data

  1. Where is it?
  2. What is it?
  3. How sensitive is it?
  4. How much of it is there?
  5. What is it used for?
  6. Who owns it?

Six questions every business should be able to answer about data they own, control and process…but most can’t.

THAT, I would vehemently argue, is your biggest priority. No-one can secure anything if they don’t know where it is and no-one can decide how much control is enough if they can’t place an operational, strategic and/or monetary value on it.

Then there are the opportunities. Never (all the risk idealists shout), never talk about risk only as a negative. Here I’m embodying their dream. You NEED to make your data work for you. Big Data and effective analysis of it isn’t just marketing rubbish, it is the future of the way we do business. So go, find, catalogue, categorise and do data science magic on your pot of digital gold.

More on why data, risk and culture are vital to securing your business coming soon.

Also now on LinkedIn quoting a related and very eloquent post by Robert Duncan (CISO at Euronext).

5 replies »

Want to add to the discussion?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.