We all know security is important, but simply throwing money at your information security (IS) investment is a costly and unreliable method of reducing your exposure to risk.
So how do you know how much money you should be spending on your IS investment? How can you be sure you’ve covered all your key exposures? And how are you supposed to justify your investment spend to your stakeholders?
My longstanding philosophy on security is that it needs to be a joint effort between IT and the business. Even within tight budgets, IT can lift its effectiveness in protecting the business by adopting the ‘not too little and not too much’ approach, or as I like to call it, The Goldilocks Result – ensuring your IS spend is just right.
More security isn’t necessarily better. So, how do you ensure your IS investment is just right?
Defence in depth is not for everyone
The ‘defence in depth’ strategy – applying the maximum security controls at each control layer – is costly, but it does minimise risk and compensate for individual control failures. If you’re the Department of Defence, then you have justification and sufficient budget to spend whatever it takes to provide the best security possible. But for the vast majority of organisations, this isn’t the case - more security is not better.
If there were options to improve security at little cost and without hindering business processes, then it would always make sense to implement them. However, in reality, those solutions just don’t exist. There is always a price for security, whether it’s capital cost, the effort required to maintain and manage the solution, or simply the additional hurdles that the organisation must jump to perform their daily tasks.
Organisations must approach their security solutions with pragmatism and a strong focus on business requirements in order to ensure their IS investment is just right.
Why build Fort Knox if you are not protecting gold?
Budgets and resources are finite, so it’s imperative you spend what little you have where it’s needed most.
To do so, first you need to know what you are protecting – the sensitive data in your organisation or ‘gold’ – and where it resides, before you start contemplating security controls.
Only once you have an understanding of your critical data and its location, can you match the optimal security controls – no more, no less.
So, how do you right-size your IS investment?
1.Determine the sensitivity of your data
I call this Data Sensitivity Analysis, or the “so what?” test - so what if this data is exposed? What will the impact be on the organisation? This step determines which data is worth protecting before you invest in infrastructure or make any security design and management decisions.
Obviously, the more sensitive the data, the more protection required. Conversely, less sensitive data requires less security. Identifying this data and reducing your organisations security controls to match has the potential to result in major cost savings.
2.Analyse your access environment to build a picture of the various data storage locations, and the access methods and behaviours employed by users to access that data.
From this information you can start to model the points within your organisation where specific security controls should be applied to protect sensitive data.
3.Match your security controls to the data using ‘holistic’ control modelling.
This will ensure that your organisation’s security is aligned with specific business needs, and that your security investment is being spent where it is needed most.
This article is brought to you by Enex TestLab, content directors for CSO Australia.