Security Spending: Part II, the Good Tower

Published: by

Today, we present the second guest post in the series by Ted Lloyd, editor of OnlineCISO.

Yesterday, we explored why security spending need not be a bottomless pit, and how yesterday's tools, such as antivirus, can be evaluated using familiar risk management methodologies.

Where then, should a business reinvest the funds previously allocated to antivirus solutions? Another analogy to the physical world can help to answer this question.

Malware and variants are similar to microbiology in our physical world. Microbes such as bacteria and virus are microscopic, and cannot be seen with the naked eye. Yet, they cause disease and illness, sometimes even death. When they infect the organism, treatment is usually reactive such as taking antibiotics to kill off the infection. In much the same way as malware, microbes in our physical world are mutating and emerging as antibiotic resistant. Our antivirus software of today, trying to respond the advanced malware, is akin to trying to fight antibiotic resistant bacteria with yesterday’s antibiotics; ineffective.

How did physical science start to win the war on microbiology and what parallels can we make to the cyber world? Immunizations emerged and instead of reacting to the infection, sought to interrupt the process or execution of the infection and thus prevent it in the first place.

Getting back to our cyber world, funds previously invested in antivirus could potentially be invested in real time protection to interrupt the process or execution of the malware and this prevent the exploit. Technologies that monitor memory and detect malware attempts in memory, as well as those which protect key operating system functions are some examples. These types of protections can be deployed in real time alongside the real time malware attacks vs. the reactive nature of antivirus software.

Antivirus is just one example where businesses can rationalize security spending. It is a good one as it allows us to make many comparisons to the real world in non-technical terms, and easily lends itself to a risk based approach t decision making. The takeaway is that all security spending should be reviewed at least annually and ideally during the budget cycle to ensure that spending is still effective.

Unless businesses are willing to accept ever increasing spending on cyber security, hard questions need to be asked and answered vs. giving in to the hype:

  1. What are we spending on security
  2. Where are we spending it?
  3. How effective are our security investments?
  4. Can we achieve better results spending elsewhere, or even with less spending?

Answering these questions on a regular basis and making budget decisions based upon risk will enable business owners and executives to sleep at night. We cannot protect against all threats, but we can minimize them and mitigate the risks to the extent that our business does not suffer substantial harm when we are attacked.

Instead of investing more money, consider investing more due care and due diligence into rationalizing the most effective security investments for your business.

Ted Lloyd, CISM