Most of us have seen the pictures of shoppers in a certain retail establishment. A veritable zoo of people and their chosen fashions or lack thereof. Adults that make the everyday choice of picking clothing that just does not do their bodies justice.
Security is very much like fashion. There are innumerable products, colors and sizes. You can get expensive or bargain security. There are pink, blue and green boxes; there are baubles and dongles; there are light-up boxes and easily foldable computers. You can get hardware and add your own software. You can be your own security tailor.
Age and body appropriate
When security is appropriately sized, it fits well, it flows with your growth, and it protects you from the dangers outside. Like clothing, there is inside and outside protection. There is battle and casual security. Also, as your company grows, your need for protection will get larger and you will have need of more components.
Security that is too large or too small will not protect you appropriately. Employees, revenue, environment, industry and other risks must be taken into account in order to choose the right tools to protect your assets.
Undersized protection is not going to get the job done, whether the job is keeping you warm in the snow or protecting your desktops from malware.
Striking the right balance is critical
Buying something a size larger may be safer, but can make you “look bad” when it comes time for your next budget cycle. On the other hand, too small can be deadly for your environment. If you must err and your budget supports it, ensure that you do so in favor of “bigger” as adverse outcomes are more likely to be stopped by oversized defenses.
When we consider budget, it becomes clear that different sizes dictate different needs. If your organization is not large enough to have a dedicated information security person, then it’s unlikely that you’re going to have large bags of money for security.
For example, an organization of 20 people may have revenue of 2 million dollars. If they follow the average for North America (3.5% of revenue for IT, according to Gartner, and just under 10% of IT for security, according to a report from SANS) they’ll spend around $730 per month for IT security. Luckily for them, their needs will also be less than massive organizations with multi-million dollar IT security budgets.
Naturally, large organizations, which have greater needs, also have more funds dedicated to IT security. The challenge for all organizations is not just to spend the allotted percentage of revenue but to spend it in ways that are appropriate for the size and risk of the organization. Managing 200 desktops require a different toolset than managing 20 or 2,000.
Finding the right balance of free (Yes, free software has a place here.) tools and commercial tools is part of the constant battle for making IT security fit the organization. Of course, that challenge changes as the organization changes, usually growing in size from small to large, etc.
Furthermore, since smaller organizations typically have a higher tolerance for risk than larger ones, the IT security spending decisions get more complicated. As your organization matures, it will likely have a lower tolerance for risk, meaning that the IT security expenditure will need to increase.
Looking good now and in the future
Your company must look good in order to attract investors, customers, and that ever fickle resource of employees. No one wants their image to be associated to a raggedy, hacked company.
Looking average in security is not a bad place to be. Spending 0.35% of your company’s revenue in today’s age is defensible, but it may not be enough considering that more and more industries are connecting online with their suppliers and customers.
In order to keep looking good, companies will have to spend more in security than they have historically.
We will be discussing these numbers and analogies at greater length at BSides Boston 2017 on Saturday, April 15, 2017.
About the Authors:
Vik Solem has been hacking the digital and physical worlds since the 1980’s. He survived Stevens Tech, wrote code at BBN, and was with AtStake when they were acquired by Symantec. In 2007 he founded Mabuhay Enterprises Inc., now MEI Security, with the goal of providing cyber & physical security services to businesses and individuals. Today Vik continues to help people and organizations understand their risks. Whether in cyberspace or in the physical world, MEI Security’s customers have the information and knowledge to make informed decisions for averting negative events when possible and for handling the aftermath should they be unavoidable.
Pedro Marcano is a CISSP, CISA, CRISC, PCIP, CC, and ALB. While he has not worked in the fashion consulting industry, Pedro has founded three information security consulting companies including Vernance where he currently works as Managing Director and CEO. He has worked across all 17 of the Critical Infrastructure Sectors and in various other not-so-critical verticals.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.