Home  |  Sarah  |  Services  |  Blog  Contact

Thursday, 31 Jul , 2014

How Much Information Security Do You REALLY Need?

Share this article

Maslow expected us to satisfy basic needs before moving on to more complex ones. Why then is "sexiness" overcoming need when planning security spend?


A post inspired by this article on Tripwire’s State of Security blog by Cindy Valladares  – Here’s an excerpt to go with the graphic.
“Maslow’s Hierarchy of Needs framework suggests that individuals are concerned with layers of needs, making us interested in moving up a layer only after the most basic needs are met.
I would like to think that for information security we have a similar way of rationalizing our investments. Unfortunately, I see many security professionals getting in the latest bandwagon of security “sexiness.”
I really like this as @CindyV does what many others don’t. She puts context around the value of the bright and shiny things you will get offered by door to door security consultancy and tool salespeople.  As I ranted about in this article (Dynamic Threat Intelligence – Pretty But Potentially Pointless), it’s all about your vulnerabilities and exposure.
Luxury BunkersDon’t buy a ride on mower for your postage stamp garden. Don’t buy an 80 inch TV for your 8ft x 7ft family room. Don’t buy a yottabyte storage solution for your family photos.  Don’t hire mercenaries, build gun emplacements and make your door mat the kill zone if you live in a suburban semi that’s not currently located in an active war zone.
But, don’t be complacent either.  Many small and medium businesses can’t afford in-house or consultant security expertise. Yes their footprint on the internet and therefore exposure to opportunistic attacks is less, but many hold significant quantities of personal data, deal with online payments or have connections that are an ideal jumping off point to larger, more secure client companies.
Often, because of poor security awareness and missing or broken controls, they are a softer option for targeted attacks, as proven by compromises of both AT&T and Target via linked suppliers (there’s more on that, including advice on integrating security into your supplier governance activity here).
It’s all about realistic assessment of what your business really needs versus the desire created by an expert sales pitch or media splash about latest threats and vulnerabilities.
28.5.14-mainCindy’s article, inspired by Dave Shackleford’s earlier piece, gives you a starting point to explore wants vs needs.
If you have the means to get a clear, honest look at the current state of your security, you will most likely find some swiss cheesy foundations. Stuff far more in need of your attention and budget than the “next big thing”. If you don’t know the status quo, your security tool equivalent of the monster TV might just fall through the rotten floorboards, before the hoped for value-add ever gets realized.
It’s time for all firms to check if they’re leaving out the welcome mat for criminals and/or spending money on seductive new tools that should be saved to shore up shaky security foundations.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...