How much Security is enough?

Tim Wilson at DarkReading is discussing a little on how to discuss security issues, goals, and concerns.

Of course his message is a basic and simple one how much should anyone be concerned with security.

A business has to have sales to operate. To have sales, there must be customer service, installation and other essential business services depending on the business.

So one could say it depends on how much the business depends on computer technology interconnected to the Internet.

If one depends on Internet sales then cybersecurity is pretty high up in the priority list.

Most likely computers are needed in the many functions of a business (accounting, sales, customer service, installs, and more).

What if all computers were infected? Sure we don’t want the ransomware virus on our computer infrastructure. but what else can we do but depend on our IT people/department?

How can a business person make decisions in a field they are not experts in?

The focus on adding CISO’s in the executive group means there is a larger emphasis in cybersecurity, since an incorrect implementation of IT can be catastrophic, although the risk is unknown.

What happens when risk becomes cloudy? we depend on risk management frameworks and as I’ve noted before: http://oversitesentry.com/why-risk-management-model-failed-us/

There are problems with this methodology. It invites mistakes.

When risk is not certain we tend to err on the side of the risk is not that high to begin with.

So coming back to the initial question how much time and effort to spend on Cybersecurity?

I think cybersecurity should be treated like Disaster recovery procedures, a certain percentage of the budget and effort should be used to check and doublecheck the IT department, the methods, and all aspects of IT should be reviewed again and again. We must push a higher level of security, since the ease of attacks has become simpler.

The problem is the understanding of IT people that know security hacks versus a business person who has no idea of IT intricacies are not talking to each other in a proper way.

Why do you think we continue to see the continuing trickle of breach news stories

And surveys of IT and security personnel like here: http://www.gemalto.com/brochures-site/download-site/Documents/ent-DSCI-Report-EN.pdf

Graphic from Gemalto survey (figure 15)

The real problem is a level of mistakes is expected or allowed to happen with the current methods.

This is unacceptable, as I’ve said before we need to move to no mistakes, not some are ok.

Maybe 10% mistakes were acceptable in the past, but today this can be fatal, and as the figure shows there are lots of problems 30% of companies have been breached out of a sample of 1000, that means 300 have been breached in the last year, with 240 breached from 12-18 months ago. 260 breaches 18-24 months.

Even if this survey does not show it definitively, it looks like everyone has been breached (especially if you count a virus).

this makes sense actually, everyone is breached, and they fix the problem, spend a little more money, and keep going. Maybe a new firewall gets installed (next gen firewall), but the attackers continue to get more sophisticated as well.