Security: At What Cost?

Reading time ~1 minute

I was listening to the end of DtSR Episode 179 when a question was asked: would you (or someone you know) buy a ā€œsecureā€ router that cost $25 more? That wasnā€™t the exact question, but that was the gist.

The immediate question I thought in response was the following (which, of course, I tweeted with the #dtsr hashtag): ā€œHow much (more) security do you get for $25? How much (more) do you get for $250,000? And how can non-infosec folks evaluate that?ā€

The challenge, of course, is how do you quantify security and the value that security provides. There is definitely no one-size-fits-all answer to this question. It comes down to quantifying the various risk in monetary terms. You know, in terms of single-loss expectancy or annualized loss expectancy.

This assumes you know what assets youā€™re protecting, have some understanding about the value of those assets, and have some clue about the likelihood of a loss and what impact that might have to the assetā€™s value. Many organizatons Iā€™ve talked to canā€™t articulate these things, and thatā€™s a problem. You have no idea how much you should spend to protect those assets. You donā€™t want to spend $1000 to protect a $10 asset, but you might spend $10 to protect a $1000 asset.

And if you think information security professionals have a tough time figuring this stuff out, think about how everyone else approaches the same situation. Is there any wonder there is so much FUD in information security marketing?

Disclaimer: I do work for a vendor: Check Point Software Technologies. These thoughts are my own.

A Couple Decades (And Change) of Working From Home

When the Covid-19 pandemic was declared in March of 2020 and most everyhigh-tech business became "all remote all the time" literally over...… Continue reading

Some Things Never Change at Palo Alto Networks

Published on October 20, 2020

My Two Check Point Decades

Published on February 01, 2019