"Why do we only spend 8% of the budget on email protection when 90% of attacks come via emails?"
These motivational words were said to 150 sales folk at a security reseller conference last week. Quickly followed by...
"Sell more email protection technologies. Customers don't have enough email defence in depth."
Defence in Depth
You'll hear the standard definition of defence in depth: Add more layers of security, and if one layer fails, the next layer will protect you.
This idea led to the culinary analogy of Swiss cheese...
Each slice of Swiss cheese has plenty of holes. But if sufficient layers are placed on each other, each hole will be covered.
And like trying to eat an oversized deli sandwich topped with Swiss cheese - every bite can change the alignment of the sandwich. In a similar way to the constantly shifting business and threat landscape.
But "just one more slice of Swiss cheese" isn't the recipe for a tasty or healthy sandwich.
There must be limits.
While budget may seem to be the obvious limiting factor, there's a better way to think about this.
Back to First Principles
It's all about risk.
All cybersecurity programmes start with a risk analysis and a risk treatment plan.
For risk analysis - that means asking:
- What threats do we face?
- How like are they to happen?
- If they did happen - what would be the impact?
And for the risk treatment - that means asking:
- Is the level this risk poses unacceptable?
- Can the probability or impact be reduced (mitigated) in some way? By a process or tool?
- Once the process or tool has been applied - is the leftover risk (the residual risk) acceptable?
- If not, go back and add another...
Therein lies the crux.
No cybersecurity solution perfectly addresses the risks you face.
There will almost always be a "But what about…?" question.
Take the most common risk you face - a staff member runs malware on their laptop.
Without any risk treatment - this is very likely to happen. If the malware is the start of a ransomware attack, the impact will be very high.
And so, part of the risk treatment plan could be...
Mitigation Objective 1: Make it more challenging for malware to get into your business
- Use a firewall to prevent direct access to internal company systems
- Use email filtering to prevent downloading malicious emails
- Use DNS filtering to prevent access to known bad websites
Mitigation Objective 2: Make it hard to run malware that has made it into your business.
- Security awareness training for all staff - don't click on unsolicited links
- Run antivirus/EDR/XDR
The list of tools and processes to address the risk can grow very long. But you will fight diminishing returns - the more you pay, the less benefit you receive.
As I've said before - aiming for vulnerability zero is never a good idea. At some point, the risk impact and probability will reach an acceptable level.
"But what about - marketing using Tiktok and getting an unsolicited DM? We need a Tiktok filtering engine for your social media manager's phone..."
But isn't that already covered by security awareness training? Which you probably already have...
So, like layering Swiss cheese on an oversized deli sandwich, an extra slice may be good... but you can have too much of a good thing and need to know when to stop.
In cybersecurity - that's the moment the residual risk is at an acceptable level for the business.
If the residual risk isn't acceptable - keep looking for more solutions.
If it is... stop.
This has nothing to do with % of the cybersecurity budget.