Online Exclusive: X is to Y is to Z – Breaches are Cheaper than Security Investments...

One thing to consider, when facing the virtual ban hammer of budget land, is that there are plenty of open source tools available for use.

The term “Too Big To Fail” is a commonly heard saying, made prominent by the economic crash in the 2008-2010 era.  I’ll save you the detailed explanation of where this statement came from, as I am sure you are quite familiar with it.  What is of interest to me is that the general format for this statement, when broken down, is (X is too Y to Z).  The evaluation of this format becomes interesting when we see it being used to form statements relevant to the work that we do as security practitioners. 

 Let’s make some statement examples, using the format above, and see how they feel:

  • X(My budget) is too Y(small) to Z(to implement specific security controls).
  • X(My company) is too Y(obscure) to Z(to be targeted by adversaries)

Just as the statement “Financial institutions are too big to fail” – the examples I gave hopefully stir up a bit of unease.  Yet, it is not uncommon to hear these statements when discussing the need to establish appropriate and often times reasonable information security best practices and standards.

When speaking to colleagues in the field, some common elements come up in conversations.  Luckily many people that I speak to, “get it”.  There are still some outliers in the mist, that will make, what appear to be reasonable at the time, statements using the (X is too Y to Z) format. Bottom-lines, budgets, cost, and ROI – are all valid business justifications for determining acceptable risk thresholds in an organization, and basing decisions on what is considered a good security investment vs a bad security investment.  Assessing risk and mitigating controls to ascertain the true value of an investment takes a bit of operational overhead if it is not already a component of the business culture.  So we end up seeing (X is too Y to Z) as a means justify side-stepping the issues at hand.

How do we shift from the (X is too Y to Z) mindset to one that better serves the organizations that we protect?  I don’t know if there is a single answer to that question, and for most, it takes a breach, or some other security concern to challenge individuals to take the actions that (X is too Y to Z) steered them away from.

One thing to consider, when facing the virtual ban hammer of budget land, is that there are plenty of open source tools available for use.  Many of these tools do great things, with the only investment needed being a little elbow grease and perhaps some fractions of compute.  They can help offset budgets and fill gaps, when you run into roadblocks put up by (X is too Y to Z).  Many of these offer some actionable metrics that should enable you to turn the tables on the (X is too Y to Z) objection and perhaps allow you to use the format to motivate upper management; X(Our exposure to risk) is too Y(great($Metric)) to Z(to continue operating in this manner.)

 In the meantime, we can continue to hope that the (X is too Y to Z) concept will be a passing fad.  That instead of hearing, “My company is too small to be breached… too obscure to be breached… too this or that to be something”, we will see a continued trend of more companies escalating security from merely a perimeter, or infrastructure viewpoint, and coming to understand that the principled exercise of practicing security enables business, instead of disabling it.

About the Author

Corey Wilburn is the Security Practice Manager at DataEndure where he specializes in the design of strategic solutions, aimed at delivering high-value operational intelligence, leveraging best-in-class products as well as services built around current and emerging standards. He has a passion for InfoSec Policies, Processes and Procedures.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.