Tuesday, May 4, 2010

Most Secured VS Cost Effective Security

Have an interesting discussion recently with krag Brotby (editor of the official ISACA CISM review Manual) regarding setting a high baseline and achieving Zero incident. It triggers the thought of Most secured VS Cost effective security.

In Security, most practitioners will try to set a high baseline to achieve zero incident. Getting various security products to protect all possible threats. Many of the times, standard security controls such as Firewall, Anti Virus, etc, were handling 95% of the incidents with about 20% of the total security expenses. The more sophisticated products and solutions such as SIEM, handles the remaining 5% but uses 50% of your total expenses and resource.

Instead of spending so much to handle the minority threats, they can sometime be manage by having a incident handling process to handle the 5% of incidents (which maybe 3 to 5 incidents per year). Majority of the budget and resource could be saved or for better use. It definitely is a good value proposition that will appeals to the management (especially during the economy downturn).

By having zero incident may also have "negative" impact to the management and staff. Management may be too comfortable with the security level and may not increase or may even cut future budget. Security staff may also be complacent on maintaining and improving the current security.

As new security issues emerge constantly, your current security controls will never be enough to maintain zero incident for your organization forever. New threats will be discovered. Additional budget and controls would be needed. Having a few incidents per year could be useful to keep the management and security staff on their toes. Management may also be more acceptable with new threats and staffs are more reactive to new security challenges.

No comments: