Here is a picture of a lock, since everyone has one (the above is a picture of a hotel lock). We don’t buy a house with a Door that has no lock.
The lock cost is not high compared to the other items in the house, including land, wood structure, electric lines, and more.
Everyone expects the key to the house when buying or renting the house.
How much time in your day is thought about opening and closing doors and windows? It probably depends on your level of trust in the neighborhood or other factors (like anxiety or OCD qualities etc.)
In Information Technology security is not thought about much either, just like when using your house for living your life, the computer is looked at as a tool, not as security must haves.
It is only after major events do we refocus on security.
So how much time should be spent on security? 10%? 5%? or 1%?
The physical house key- lock has been optimized after many years of inventions and lock pickers etc. http://www.historyofkeys.com/keys-history/history-of-keys/ discusses ancient Babylon and Egypt with keys whereas the modern key is around 1800, which is still 200 years of inventions.
Think about the computer technologies they have only been in force from the 50’s, although one could say even 1992 or so for the Internet.
So we need to keep that in mind when deciding how much time to spend on It security. We have to spend more time at IT security , since a lot of effective procedures and software has not been created yet. There are a variety of current software to get in a defense-in-depth framework:
Firewall (preferably a NGFW with intrusion prevention)
Anti-virus or anti-malware software on each client computer,
A log system which monitors the firewall, network devices, and important computers.
Anti-spam system (mail-proxy)
Web-proxy -prevents users from going to questionable(unsanctioned) websites.
Notice the complexity of these 5 items. The security IT department is not done, as it needs to review the logs and review potential threats. we have not discussed social engineering or other aspects of IT security.
You can see that as your environment becomes more complex with many locations and devices the complexity increases, thus the time spent on Security will be at least 10%, as there will be times you have to install patches and reboot.
One of the great innovations of the Internet is that we can connect to most other countries and computers in the world, but that means now all of the criminals of the world can connect to us. And some specific criminal gangs have arisen. They come from Russia and China where a sympathetic local government has allowed them to exist and even flourish (as long as they pay some fee). The FBI has taken notice:
The FBI has noted east European and Chinese criminals with over $4mil in reward money for their capture.
As the IT industry matures we develop better IT security measures, but in the meantime we ahve to develop security policies and mechanisms to protect us against the dangers of the world criminal machinations.
Personally I would think 105 of your time is a minimum to be spent on Security in a year (which means in a 2080 hour work year- 52weeks*40 hours – 208 hours on security).
Those 208 hours in the year have to be used to refine the craft of defensive security -patching and reworking the logs in a consistent manner.
If you don’t do this it is only a matter of time until disaster strikes.