… or not enough, but you certainly don’t have it right.
Security takes commitment, but it’s not as simple as all or nothing. Knowing how much to commit for your level of risk tolerance is critical. The first thing you need to do when improving your security program is set honest goals about what you want to achieve.
Ideal security investment means, do what is necessary and nothing more. Every dollar you spend to secure something that isn’t going to be attacked is a dollar that isn’t used to lead the market, build new features, or sell and market your solutions.
Here’s the rub, you don’t know where you’re going to be attacked, and you can’t know exactly where that line is. So you always overspend, or underspend, but it’s impossible to get it perfect.
I talk a lot about goals. I think goals are the lens through which you can make sense of any action. Without goals you’ll be pushed around by your security vendor’s marketing literature, the scary attack of the day, or whatever your team or board brings to you with the most short-term urgency. Goals give you an anchor that allows you to have confidence in what you are spending.
Goals can be lofty and long term or sharp and actionable:
- I want to be able to measure the efficacy of our security program
- I want to find fewer vulnerabilities in production and more in test.
- I want to be able to create a framework of risk, so I know what needs my attention first
These are all good goals that can help you choose your next step wisely. If being secure is your goal, you need to know what that means and how to measure it, otherwise you’ll never know if you’re making progress or even if you’ve achieved it!
If we want to create a culture of security where security is a value of the organization, then you must change your company’s DNA, build a castle, and set a course for security island.
If you simply need to avoid the bear by being more secure than your competitors, then set a goal that states that clearly and align you security and development activities to that goal.
The important thing is to know what your goal is, so that you can plan your investments accordingly.